Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
renamed because original name is a hash value
Original sample name:1.0.2.exe
Analysis ID:1579802
MD5:8d24ff51c87bc901cb4c88cb885dc15a
SHA1:c8f7e17799b8ad0769f83b2d7d8f491384aa93d0
SHA256:52ae54a6103be491559249ed1ed982b69b06948849a880db142eb37ff0484a3b
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 1252 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 8D24FF51C87BC901CB4C88CB885DC15A)
    • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 5084 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 320 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 8D24FF51C87BC901CB4C88CB885DC15A)
        • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 6600 cmdline: "C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$30410,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 6596 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 2924 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4564 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3364 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5660 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 728 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 892 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3812 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2448 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2920 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5752 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1972 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 384 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6520 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2804 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 5900, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5084, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4564, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3364, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 5900, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5084, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4564, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3364, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 5900, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5084, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2191572418.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2191471311.0000000003240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0DAEC0 FindFirstFileA,FindClose,FindClose,7_2_6C0DAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F26868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00F26868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F27496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00F27496
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2057296684.000000007F8FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2056890202.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2058800452.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000000.2150867718.00000000006AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2057296684.000000007F8FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2056890202.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2058800452.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000000.2150867718.00000000006AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.2.drStatic PE information: section name: .=~
Source: update.vac.7.drStatic PE information: section name: .=~
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF63886
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C0E5120
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0E5D60
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF63A6A
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF639CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF639CF
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF63D62
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF63D18
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF63C62
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF61950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6BF61950
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF64754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6BF64754
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF74A277_2_6BF74A27
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF647547_2_6BF64754
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E18807_2_6C0E1880
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E6A437_2_6C0E6A43
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C146CE07_2_6C146CE0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C196D107_2_6C196D10
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B4DE07_2_6C1B4DE0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C118EA17_2_6C118EA1
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C132EC97_2_6C132EC9
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19EEF07_2_6C19EEF0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C16AEEF7_2_6C16AEEF
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18E8107_2_6C18E810
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A68207_2_6C1A6820
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B48707_2_6C1B4870
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1648967_2_6C164896
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AC8D07_2_6C1AC8D0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1BA91A7_2_6C1BA91A
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1969007_2_6C196900
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AA9307_2_6C1AA930
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A89507_2_6C1A8950
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1189727_2_6C118972
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B69997_2_6C1B6999
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1BAA007_2_6C1BAA00
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C170A527_2_6C170A52
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A4AA07_2_6C1A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C130B667_2_6C130B66
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18AB907_2_6C18AB90
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C120BCA7_2_6C120BCA
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AEBC07_2_6C1AEBC0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A44897_2_6C1A4489
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1784AC7_2_6C1784AC
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19E4D07_2_6C19E4D0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1825217_2_6C182521
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A85207_2_6C1A8520
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19C5807_2_6C19C580
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1925807_2_6C192580
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1945D07_2_6C1945D0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AE6007_2_6C1AE600
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B46C07_2_6C1B46C0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A67A07_2_6C1A67A0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B67C07_2_6C1B67C0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C11C7CF7_2_6C11C7CF
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C17C7F37_2_6C17C7F3
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1900207_2_6C190020
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19E0E07_2_6C19E0E0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A82007_2_6C1A8200
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AC2A07_2_6C1AC2A0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C193D507_2_6C193D50
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C167D437_2_6C167D43
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B5D907_2_6C1B5D90
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C199E807_2_6C199E80
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C171F117_2_6C171F11
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18589F7_2_6C18589F
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A78C87_2_6C1A78C8
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1999F07_2_6C1999F0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18FA507_2_6C18FA50
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C191AA07_2_6C191AA0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18DAD07_2_6C18DAD0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C13540A7_2_6C13540A
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19F5C07_2_6C19F5C0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C15F5EC7_2_6C15F5EC
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C18B6507_2_6C18B650
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1AF6407_2_6C1AF640
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1996E07_2_6C1996E0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B97007_2_6C1B9700
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B37C07_2_6C1B37C0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19F0507_2_6C19F050
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1330927_2_6C133092
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1971F07_2_6C1971F0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19D2807_2_6C19D280
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C19D3807_2_6C19D380
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A6AF07_2_6C1A6AF0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1A37507_2_6C1A3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F681EC11_2_00F681EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA81C011_2_00FA81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9425011_2_00F94250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB824011_2_00FB8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBC3C011_2_00FBC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB04C811_2_00FB04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9865011_2_00F98650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9C95011_2_00F9C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7094311_2_00F70943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F98C2011_2_00F98C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB4EA011_2_00FB4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB0E0011_2_00FB0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F810AC11_2_00F810AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FAD08911_2_00FAD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9D1D011_2_00F9D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB91C011_2_00FB91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA518011_2_00FA5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB112011_2_00FB1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBD2C011_2_00FBD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F853F311_2_00F853F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F253CF11_2_00F253CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB54D011_2_00FB54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F6D49611_2_00F6D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBD47011_2_00FBD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F2157211_2_00F21572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB155011_2_00FB1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FAD6A011_2_00FAD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7965211_2_00F79652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F297CA11_2_00F297CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F3976611_2_00F39766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBD9E011_2_00FBD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F21AA111_2_00F21AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA5E8011_2_00FA5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA5F8011_2_00FA5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F3E00A11_2_00F3E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA22E011_2_00FA22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FC230011_2_00FC2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8E49F11_2_00F8E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA25F011_2_00FA25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F966D011_2_00F966D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9A6A011_2_00F9A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBE99011_2_00FBE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA2A8011_2_00FA2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F7AB1111_2_00F7AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA6CE011_2_00FA6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA70D011_2_00FA70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9B18011_2_00F9B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F8B12111_2_00F8B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB720011_2_00FB7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F4B3E411_2_00F4B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBF3C011_2_00FBF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FAF3A011_2_00FAF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FAF42011_2_00FAF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9741011_2_00F97410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBF59911_2_00FBF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB353011_2_00FB3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FC351A11_2_00FC351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9F50011_2_00F9F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FC360111_2_00FC3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FB77C011_2_00FB77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9379011_2_00F93790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F4F8E011_2_00F4F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9F91011_2_00F9F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA7AF011_2_00FA7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F73AEF11_2_00F73AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F3BAC911_2_00F3BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F3BC9211_2_00F3BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA7C5011_2_00FA7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F9FDF011_2_00F9FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C119240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C1B6F10 appears 728 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00FBFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F228E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00F21E40 appears 171 times
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2056890202.0000000002E2E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2057296684.000000007FBFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000000.2055100882.0000000000499000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal76.evad.winEXE@136/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0E5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F29313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00F29313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F33D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00F33D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F29252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00F29252
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C0E5240
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-AP3JU.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$30410,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$30410,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic file information: File size 5707508 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2191572418.0000000003440000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2191471311.0000000003240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00FA57D0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: real checksum: 0x0 should be: 0x5810a0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .=~
Source: is-6EMI6.tmp.7.drStatic PE information: section name: .xdata
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E86EB push ecx; ret 7_2_6C0E86FE
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF90F00 push ss; retn 0001h7_2_6BF90F0A
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B6F10 push eax; ret 7_2_6C1B6F2E
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C11B9F4 push 004AC35Ch; ret 7_2_6C11BA0E
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B7290 push eax; ret 7_2_6C1B72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F245F4 push 00FCC35Ch; ret 11_2_00F2460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBFB10 push eax; ret 11_2_00FBFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FBFE90 push eax; ret 11_2_00FBFEBE
Source: update.vac.2.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.7.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-6EMI6.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6011Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3846Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 535Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 597Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 489Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-6EMI6.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6152Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0DAEC0 FindFirstFileA,FindClose,FindClose,7_2_6C0DAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F26868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00F26868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F27496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00F27496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F29C60 GetSystemInfo,11_2_00F29C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000002.2166094206.0000000000C8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\pK
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6BF63886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6BF63886
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0F0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0F0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FA57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_00FA57D0
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0F9D35 mov eax, dword ptr fs:[00000030h]7_2_6C0F9D35
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0F9D66 mov eax, dword ptr fs:[00000030h]7_2_6C0F9D66
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0EF17D mov eax, dword ptr fs:[00000030h]7_2_6C0EF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0E8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C0E8CBD
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C0F0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0F0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 7_2_6C1B7700 cpuid 7_2_6C1B7700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00F2AB2A GetSystemTimeAsFileTime,11_2_00F2AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00FC0090 GetVersion,11_2_00FC0090
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000002.2315060523.000000000134A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory331
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579802 Sample: #U5b89#U88c5#U52a9#U624b1.0.2.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 76 90 Found driver which could be used to inject code into processes 2->90 92 PE file contains section with special chars 2->92 94 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->94 10 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 96 Adds a directory exclusion to Windows Defender 19->96 35 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 4 16 35->55         started        98 Loading BitLocker PowerShell Module 38->98 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\trash (copy), PE32+ 55->80 dropped 82 C:\Program Files (x86)\...\is-6EMI6.tmp, PE32+ 55->82 dropped 84 3 other files (1 malicious) 55->84 dropped 100 Query firmware table information (likely to detect VMs) 55->100 102 Protects its processes via BreakOnTermination flag 55->102 104 Hides threads from debuggers 55->104 106 Contains functionality to hide a thread from the debugger 55->106 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.2.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-6EMI6.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-B0RTB.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PEHQ7.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.2.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2057296684.000000007F8FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2056890202.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2058800452.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000000.2150867718.00000000006AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2057296684.000000007F8FB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.2056890202.0000000002D10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000000.2058800452.00000000002F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000007.00000000.2150867718.00000000006AD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000002.00000003.2147519804.0000000003F29000.00000004.00001000.00020000.00000000.sdmp, is-6EMI6.tmp.7.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579802
                    Start date and time:2024-12-23 09:33:15 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 5s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:108
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                    renamed because original name is a hash value
                    Original Sample Name:1.0.2.exe
                    Detection:MAL
                    Classification:mal76.evad.winEXE@136/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 28
                    • Number of non-executed functions: 76
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b1.0.2.exe
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):831200
                                      Entropy (8bit):6.671005303304742
                                      Encrypted:false
                                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999190724188688
                                      Encrypted:true
                                      SSDEEP:6144:XiH33/Xofh9jGU9Xfxc+fezUh4buMTPKOM+3Hj:XGPonZ5G49MTyoHj
                                      MD5:07861A39CF1633A3AE529B0AE04C40E1
                                      SHA1:3B44EFE0BEB2F5CB2F66BBC61DE5B30FDCDE5A47
                                      SHA-256:F693C2A4124E1E7A072F6FA826D86BFCB2C2D46C584F57107B993355919EAD65
                                      SHA-512:65865B81EA2EBA946416238F93989999B9B07326A3B7A62B72CD7C4498880E4E8C482A5B315F918407A81CCFED4BAEB26F2DAA93B96D97113C7EDBB067FB10C7
                                      Malicious:false
                                      Preview:.@S....g %..,.................8..=....JO. G.2.^...:...1O....bQs.Do.cv...I.&.<&.R...nN.....m..&)}uC.=:......u.{.w^2..%..h.wQ..z.".8X.hp..j......Z.LT.Q..X1m.W..........]...F..@..M....0..i..S.I/..f...Q.A..|~.....a.z.5.$.Y,c.^.T./..5.....9+..-...R]..|.l....h..(.....Wg..2.|.._.s.....A...D..j.+...s.E..2.u..."s...v..4...d\bdm_..ag.......Y....X...........JcWPXd@..400...LTO.#.....W.......{..?.i........... 6>;d..)..x......0..]_R..)F...R.@Y....\m.[.....G.x:H.e......3}qu..y......c.s.&!.X..e?..J....F.A..C.i.#-..."Rx.......$3>..n...@.....],@....C.Rz.V.r......8h....t+O?.?... L......T..J.e.T....."..a_..%...l....q..fq....1...V......[..O..`..?.%,:..`\.{..Uws.J3...V.1.:.e..W..e..26.....{.."k.;.Hqv..b.US...^v.M.U...<..@...I[....Hf..j..5.o..f@.6.......0.3......1l....,C....;...N.N+q.>...a.|.UL..a....(. &...W..L@.Mg.RD.4.!..d3.Q.u...z.z.f..[....?K...;...@.A(la.e......w..ct"6.B+........#.....ZMh..^"j...c.g)Y9A.e`......x{.PoT..I........5...^...T/..N..-......
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999190724188688
                                      Encrypted:true
                                      SSDEEP:6144:XiH33/Xofh9jGU9Xfxc+fezUh4buMTPKOM+3Hj:XGPonZ5G49MTyoHj
                                      MD5:07861A39CF1633A3AE529B0AE04C40E1
                                      SHA1:3B44EFE0BEB2F5CB2F66BBC61DE5B30FDCDE5A47
                                      SHA-256:F693C2A4124E1E7A072F6FA826D86BFCB2C2D46C584F57107B993355919EAD65
                                      SHA-512:65865B81EA2EBA946416238F93989999B9B07326A3B7A62B72CD7C4498880E4E8C482A5B315F918407A81CCFED4BAEB26F2DAA93B96D97113C7EDBB067FB10C7
                                      Malicious:false
                                      Preview:.@S....g %..,.................8..=....JO. G.2.^...:...1O....bQs.Do.cv...I.&.<&.R...nN.....m..&)}uC.=:......u.{.w^2..%..h.wQ..z.".8X.hp..j......Z.LT.Q..X1m.W..........]...F..@..M....0..i..S.I/..f...Q.A..|~.....a.z.5.$.Y,c.^.T./..5.....9+..-...R]..|.l....h..(.....Wg..2.|.._.s.....A...D..j.+...s.E..2.u..."s...v..4...d\bdm_..ag.......Y....X...........JcWPXd@..400...LTO.#.....W.......{..?.i........... 6>;d..)..x......0..]_R..)F...R.@Y....\m.[.....G.x:H.e......3}qu..y......c.s.&!.X..e?..J....F.A..C.i.#-..."Rx.......$3>..n...@.....],@....C.Rz.V.r......8h....t+O?.?... L......T..J.e.T....."..a_..%...l....q..fq....1...V......[..O..`..?.%,:..`\.{..Uws.J3...V.1.:.e..W..e..26.....{.."k.;.Hqv..b.US...^v.M.U...<..@...I[....Hf..j..5.o..f@.6.......0.3......1l....,C....;...N.N+q.>...a.|.UL..a....(. &...W..L@.Mg.RD.4.!..d3.Q.u...z.z.f..[....?K...;...@.A(la.e......w..ct"6.B+........#.....ZMh..^"j...c.g)Y9A.e`......x{.PoT..I........5...^...T/..N..-......
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996401713517506
                                      Encrypted:true
                                      SSDEEP:1536:oGFeM+b/z9Q8Hf+hyC3oOOlOvsVq8iE7V4JDoyaNjHVG+:oG0jb/x3+hyUZGVniVJMtNjHw+
                                      MD5:5C87B157659C2E106E0B4688CAB6B416
                                      SHA1:0CD17EA860DB582A8103011DBAAF6A7C5D67D4A8
                                      SHA-256:3E1EEF1D48BCBB503CBB7F85711E09BF49589681192F57B4A28087AAD03F6D34
                                      SHA-512:4DDA59F57C2E2B5495512C937D6F8647BE5C2FE2D194EBE136CF3F33CD4EEBB49449F1771EF3F663BB3C3A2D1B60E0FD631A3DAD892EF8E7DAEFAE5750712AC3
                                      Malicious:false
                                      Preview:.@S.......l .................>..."s:Q.....^0.g]{...l.#..".Q,....zJ....i..../..B..B...,.....p..q.*>L_......Qo...~.R."..n(\t..Ui...k.w...@:.=0.W.4?;..4.....7....o3D.'Y.N[+....Ko..PT'..P........3...Z....D]YeAO/W).l'..W..W..V.a...U..W.O....v.....z.#...:..;.L.......v.......m.......h.S{....zgZ.A+.4".d+.Hl.<%....].J.s......7..G.f..T...S.W..}).w....$~.<"...>.]^C....=..gH(...j...}..$...'..6.T.g.g!..{B..l.L...%$..~...~.]Z....[n}^.A....#<...FG.L.....v.(..S ..A..{K.,.N....b..$...Nu$.....t.F......0....."..j5....u.l.>.......E[t!s.7*kpT.,%..*7..}{.?.....1)..Uq1\.:RI.?f...Z..?p.U...<.6I.z...7Qh..`.I...<9.!.s..........f..j[....[9R......&.=...q.....b.p.C3.!#.-..V/...[i..KC.F..y.0.OA..I5.G@......B..D...........V..,h.s.3V.Z.u......l....=..e....C...F.......a_."..[...3.......l....X#.M4..ff%c.R...R....g....... o.....o.).m..H.?&.E.IZ..].}..\..`8Z8....K..w.Kh.9.e=..8.#.2Y.(..C/T^.qbQ....=?@.3.H-..{6a.....k_s...G.hJg...~.>......c..ID.K5i.9gZCs. ...Yu....Z..SpE.h.Y)..
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996401713517511
                                      Encrypted:true
                                      SSDEEP:1536:+UTRNG5MRWNsq6QcNR0NneqYoKk+1Bab+XUw1lSgWR:+FiafNPYrXBab+Ew1lSgs
                                      MD5:265DFDCCB7A5E843EA2BC63C6BC157DB
                                      SHA1:CE98E0CDB8ADA1BA19E298F5A3B92920A63C96A9
                                      SHA-256:4834855102AA4F56AFC332909712FA54A4FE1EC74D34F97B1EABDACF1D21EF53
                                      SHA-512:0D84C6185097FB3C2035E1721C60EEBDD7FF6435A726AA0B20B57D8C7385883D2A2AF3B12EF6D6FD1B71F82D47EF02CECC7FAD1C1045DE1254F240F9F943E287
                                      Malicious:false
                                      Preview:7z..'...h.+e........2........0...1...$|.!:.......7Ga...$`....X..!..7P.]n.yWko.D..*.)...~z.P%...9...#P.J..x..%tB.,.K.F....Np..;.s....dbvG..+........h0..<-Z'%.YY....S.....`.I}..y..3W|..W.J.....2dS..............r..K.ws.ka.2."?vY...w.i.L..0na&..d.7.V.R.......uK.a0.`..3..l...U/".\..Je..Rv.U%...Y........c......H..._.....M....w..y..v..W|P..B.Y.....9..j....&G2..'...9.'7.bt...[ ....b..9...}l.rG.@.;...qE...&.d..vz..^.........U.......E.A.=.........S.y...a..+..x..&...8.X.^S.)..4.K.N...}.g#z..._8.}Mp..RDmV..{.....!.. ..b.B.w"............7...Z...s.../\f>.....$T....Yw..;B+Q....{.. .:.......$\..T..wC.. ..a.O....~.L..J..|..w&"t)..%....D...YDL..B.(2...U..R....YD..RD!..=<..+.9~4.0......U...E>.=.B./Df..9..(.U.mRK8..G`.;.....!..n.Q.>.,.,..hw.Tqq8r..Oa.w.. i[.......2._E..C..WZ...6.H{..=...h...|..|/y.|l.G.h4'#=A...Sh.P.|.G..=.~...._..@*r.p.=.......]....N.#..a.w..Ix.Q......B...%...6/......@...S....8(sD...}x.E."...I...2.(......r..m..:....v.Zb~...d_x...........U)
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255975
                                      Encrypted:true
                                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                      Malicious:false
                                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255979
                                      Encrypted:true
                                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                      MD5:4CB8B7E557C80FC7B014133AB834A042
                                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                      Malicious:false
                                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                      MD5:8622FC7228777F64A47BD6C61478ADD9
                                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                      Malicious:false
                                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                      Malicious:false
                                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.99759370165655
                                      Encrypted:true
                                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                      MD5:950338D50B95A25F494EE74E97B7B7A9
                                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                      Malicious:false
                                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.997593701656546
                                      Encrypted:true
                                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                      Malicious:false
                                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653607
                                      Encrypted:true
                                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                      Malicious:false
                                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653608
                                      Encrypted:true
                                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                      Malicious:false
                                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999190724188687
                                      Encrypted:true
                                      SSDEEP:6144:inOVnV9eG7iJt7TzrZm+vIuLDUlvIuZNpMOlfzTqZaqH:inOVnH2z7FVUlTF7s
                                      MD5:D347FD565397B611DCDA50560B3ECDEF
                                      SHA1:25225A99B860798E8A9241615D3C8FECB57FA2CD
                                      SHA-256:BC10732B9B1A5939245965B7595A9A829B81F9A47B4C6F13EA47CF1DCB4672A6
                                      SHA-512:5A6A6311581BB320722440E47BEE3DDD9E374184AD912D149C932BD81BF377215B3A8D198051A24B26FBA713FDBC998AA76C9A736B73613DB3E55E279D9A02E5
                                      Malicious:false
                                      Preview:7z..'......| .......@.......B.T.....1T....p.j._.jk...~..|y;....)..e..U...J."......)..d8..?..........TW.1=F...c....n........a.Z.+.u..q..USSa...r....<x..).O&.l...8$>.....;Y...5u.uV|..^m..+i.....Npk.owl.o..Q...-23A3r}....[.H..2A.d.3.T...Z. X...4.d.{}~...V....4.D.d6.~#.U..W....L.D..A`:RDv..`Z..1.i.cI..w.=..^.|...J.s(.&{....|......;.\..:LTh..Gf..%-..i\.*=yr.D.?........A.....d...).V.}1|.Da*"ly.....%b.....*BC.h.(c.....u..Q..N.P...i...-..@.F.C...%C....1?81..l...CP2.zE......W....g.6.W....~f..\F.*jG3..S.u...X....O..w..n..M...x......`.......;Jn-.?..)..q.w....p...92...@..\A.itH-..l..j.3P.v.s...[..........L^N.:...<.*..ye..pP1.kP.S!.r..j.k...,7.....d...@....h.b.S....v.?..YS....YE..-W.$J.T...w....8...R..i?.K;n.q....6.B....$.M..r.0.g.b..b.s}.4...(.eB4vC....C..k.kv*.1Pb......Uu@..{..J..Y.e{.g...4.7o....H..t...r..O..tT.8Mg.N.\...X3..~..A..yz-...Y.'...)../+.gk.(6~.......at L..:0..$FzHx$...d..Q\s..k...........$..Y...g-...-.h .z..a...J...8.KD.r..\.i
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):63640
                                      Entropy (8bit):6.482810107683822
                                      Encrypted:false
                                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 9%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):3.3449406240731085
                                      Encrypted:false
                                      SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                                      MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                                      SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                                      SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                                      SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                                      Malicious:false
                                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1628158735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllul5mxllp:NllU4x/
                                      MD5:3A925CB766CE4286E251C26E90B55CE8
                                      SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                      SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                      SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                      Malicious:false
                                      Preview:@...e................................................@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):406
                                      Entropy (8bit):5.117520345541057
                                      Encrypted:false
                                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                      MD5:9200058492BCA8F9D88B4877F842C148
                                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                      Malicious:false
                                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.921265219134115
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                      File size:5'707'508 bytes
                                      MD5:8d24ff51c87bc901cb4c88cb885dc15a
                                      SHA1:c8f7e17799b8ad0769f83b2d7d8f491384aa93d0
                                      SHA256:52ae54a6103be491559249ed1ed982b69b06948849a880db142eb37ff0484a3b
                                      SHA512:dbee19d7f7716dbcd5b4c63c90c63526c6f183038e84cb303c2f46587a7be1d164d186e799cb42280981ab1a917575aac982dc0eaab186dea329cc85bf43543e
                                      SSDEEP:98304:XwRES3ZFYl6Qc9lJkMtCI4ZZEoqW2cb/k913pDdMwZgf:lUo6jbtF4Z12cbchs
                                      TLSH:D5461223F2CBE53DE05E0B3B15B2A15894FB6A216522AD52C6ECB4ECCF351601D3E647
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                      Icon Hash:0c0c2d33ceec80aa
                                      Entrypoint:0x4a83bc
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004A2EBCh
                                      call 00007F7950AC4CB5h
                                      xor eax, eax
                                      push ebp
                                      push 004A8AC1h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004A8A7Bh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004B0634h]
                                      call 00007F7950B5663Bh
                                      call 00007F7950B5618Eh
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F7950B50E68h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004B41F4h
                                      call 00007F7950ABED63h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004B41F4h]
                                      mov dl, 01h
                                      mov eax, dword ptr [0049CD14h]
                                      call 00007F7950B52193h
                                      mov dword ptr [004B41F8h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004A8A27h
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007F7950B566C3h
                                      mov dword ptr [004B4200h], eax
                                      mov eax, dword ptr [004B4200h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007F7950B5D3AAh
                                      mov eax, dword ptr [004B4200h]
                                      mov edx, 00000028h
                                      call 00007F7950B52A88h
                                      mov edx, dword ptr [004B4200h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0xcb0000x110000x11000c77c993913ee57d416c0b87d169b66ebFalse0.18785903033088236data3.721257000596691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd8e000x3f8data0.3198818897637795
                                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                                      RT_STRING0xd94d40x430data0.40578358208955223
                                      RT_STRING0xd99040x44cdata0.38636363636363635
                                      RT_STRING0xd9d500x2d4data0.39226519337016574
                                      RT_STRING0xda0240xb8data0.6467391304347826
                                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                                      RT_STRING0xda1780x374data0.4230769230769231
                                      RT_STRING0xda4ec0x398data0.3358695652173913
                                      RT_STRING0xda8840x368data0.3795871559633027
                                      RT_STRING0xdabec0x2a4data0.4275147928994083
                                      RT_RCDATA0xdae900x10data1.5
                                      RT_RCDATA0xdaea00x310data0.6173469387755102
                                      RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                      NameOrdinalAddress
                                      __dbk_fcall_wrapper20x40fc10
                                      dbkFCallWrapperAddr10x4b063c
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:03:34:08
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                                      Imagebase:0x3e0000
                                      File size:5'707'508 bytes
                                      MD5 hash:8D24FF51C87BC901CB4C88CB885DC15A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:2
                                      Start time:03:34:08
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-5IHQH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1040C,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                                      Imagebase:0x2f0000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:3
                                      Start time:03:34:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:03:34:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:5
                                      Start time:03:34:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff6ef0c0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:6
                                      Start time:03:34:17
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                                      Imagebase:0x3e0000
                                      File size:5'707'508 bytes
                                      MD5 hash:8D24FF51C87BC901CB4C88CB885DC15A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:false

                                      Target ID:7
                                      Start time:03:34:18
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-EEC3P.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$30410,4753116,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                                      Imagebase:0x430000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:8
                                      Start time:03:34:21
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:03:34:21
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:10
                                      Start time:03:34:21
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:11
                                      Start time:03:34:21
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                      Imagebase:0xf20000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:true

                                      Target ID:12
                                      Start time:03:34:21
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:13
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                      Imagebase:0xf20000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:14
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:15
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:16
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:18
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:20
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:21
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:22
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:23
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:26
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:28
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:30
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:03:34:22
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:33
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:35
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:36
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:39
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:44
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:46
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:48
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:03:34:23
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:52
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:58
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:59
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:60
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:62
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:63
                                      Start time:03:34:24
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:64
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6d64d0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:65
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:66
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:67
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:68
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:69
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:70
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:71
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:72
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:73
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:74
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:75
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:76
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:77
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:78
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:79
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:80
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:81
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:82
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:83
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:84
                                      Start time:03:34:25
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:85
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:86
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff632ac0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:87
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:88
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:89
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:90
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:91
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:92
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:93
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:94
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:95
                                      Start time:03:34:26
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:96
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:97
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:98
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:99
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:100
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:101
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:102
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:103
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:104
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7ce9c0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:105
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:106
                                      Start time:03:34:27
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff653a80000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.6%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:15.6%
                                        Total number of Nodes:788
                                        Total number of Limit Nodes:13
                                        execution_graph 100307 6bf74a27 100312 6bf74a5d _strlen 100307->100312 100308 6bf8639e 100439 6c0f0130 18 API calls 2 library calls 100308->100439 100310 6bf75b6f 100314 6c0e6a43 std::_Facet_Register 4 API calls 100310->100314 100311 6bf75b58 100425 6c0e6a43 100311->100425 100312->100308 100312->100310 100312->100311 100315 6bf75b09 _Yarn 100312->100315 100314->100315 100398 6c0daec0 100315->100398 100318 6bf75bad std::ios_base::_Ios_base_dtor 100318->100308 100322 6bf79ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100318->100322 100404 6c0e4ff0 CreateProcessA 100318->100404 100319 6c0e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100319->100322 100320 6c0daec0 2 API calls 100320->100322 100321 6bf7a292 Sleep 100397 6bf79bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100321->100397 100322->100308 100322->100319 100322->100320 100322->100321 100341 6bf7e619 100322->100341 100323 6bf76624 100326 6c0e6a43 std::_Facet_Register 4 API calls 100323->100326 100324 6bf7660d 100325 6c0e6a43 std::_Facet_Register 4 API calls 100324->100325 100333 6bf765bc _Yarn _strlen 100325->100333 100326->100333 100327 6bf761cb _strlen 100327->100308 100327->100323 100327->100324 100327->100333 100328 6c0e4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100328->100397 100329 6bf863b2 100440 6bf615e0 18 API calls std::ios_base::_Ios_base_dtor 100329->100440 100330 6bf79bbd GetCurrentProcess TerminateProcess 100330->100322 100332 6bf864f8 100333->100329 100334 6bf76970 100333->100334 100335 6bf76989 100333->100335 100338 6bf76920 _Yarn 100333->100338 100336 6c0e6a43 std::_Facet_Register 4 API calls 100334->100336 100337 6c0e6a43 std::_Facet_Register 4 API calls 100335->100337 100336->100338 100337->100338 100408 6c0e5960 100338->100408 100340 6bf7f243 CreateFileA 100357 6bf7f2a7 100340->100357 100341->100340 100342 6bf769d6 std::ios_base::_Ios_base_dtor _strlen 100342->100308 100343 6bf76dd2 100342->100343 100344 6bf76dbb 100342->100344 100355 6bf76d69 _Yarn _strlen 100342->100355 100347 6c0e6a43 std::_Facet_Register 4 API calls 100343->100347 100346 6c0e6a43 std::_Facet_Register 4 API calls 100344->100346 100345 6bf802ca 100346->100355 100347->100355 100348 6bf77427 100350 6c0e6a43 std::_Facet_Register 4 API calls 100348->100350 100349 6bf77440 100351 6c0e6a43 std::_Facet_Register 4 API calls 100349->100351 100352 6bf773da _Yarn 100350->100352 100351->100352 100353 6c0e5960 104 API calls 100352->100353 100358 6bf7748d std::ios_base::_Ios_base_dtor _strlen 100353->100358 100354 6bf802ac GetCurrentProcess TerminateProcess 100354->100345 100355->100329 100355->100348 100355->100349 100355->100352 100356 6c0e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100356->100397 100357->100345 100357->100354 100358->100308 100359 6bf77991 100358->100359 100360 6bf779a8 100358->100360 100364 6bf77940 _Yarn _strlen 100358->100364 100361 6c0e6a43 std::_Facet_Register 4 API calls 100359->100361 100362 6c0e6a43 std::_Facet_Register 4 API calls 100360->100362 100361->100364 100362->100364 100363 6c0e5960 104 API calls 100363->100397 100364->100329 100365 6bf77de2 100364->100365 100366 6bf77dc9 100364->100366 100369 6bf77d7c _Yarn 100364->100369 100368 6c0e6a43 std::_Facet_Register 4 API calls 100365->100368 100367 6c0e6a43 std::_Facet_Register 4 API calls 100366->100367 100367->100369 100368->100369 100370 6c0e5960 104 API calls 100369->100370 100371 6bf77e2f std::ios_base::_Ios_base_dtor _strlen 100370->100371 100371->100308 100372 6bf785bf 100371->100372 100373 6bf785a8 100371->100373 100380 6bf78556 _Yarn _strlen 100371->100380 100375 6c0e6a43 std::_Facet_Register 4 API calls 100372->100375 100374 6c0e6a43 std::_Facet_Register 4 API calls 100373->100374 100374->100380 100375->100380 100376 6bf78983 100379 6c0e6a43 std::_Facet_Register 4 API calls 100376->100379 100377 6bf7896a 100378 6c0e6a43 std::_Facet_Register 4 API calls 100377->100378 100381 6bf7891d _Yarn 100378->100381 100379->100381 100380->100329 100380->100376 100380->100377 100380->100381 100382 6c0e5960 104 API calls 100381->100382 100385 6bf789d0 std::ios_base::_Ios_base_dtor _strlen 100382->100385 100383 6bf78f36 100387 6c0e6a43 std::_Facet_Register 4 API calls 100383->100387 100384 6bf78f1f 100386 6c0e6a43 std::_Facet_Register 4 API calls 100384->100386 100385->100308 100385->100383 100385->100384 100390 6bf78ecd _Yarn _strlen 100385->100390 100386->100390 100387->100390 100388 6bf79354 100391 6c0e6a43 std::_Facet_Register 4 API calls 100388->100391 100389 6bf7936d 100392 6c0e6a43 std::_Facet_Register 4 API calls 100389->100392 100390->100329 100390->100388 100390->100389 100393 6bf79307 _Yarn 100390->100393 100391->100393 100392->100393 100394 6c0e5960 104 API calls 100393->100394 100396 6bf793ba std::ios_base::_Ios_base_dtor 100394->100396 100395 6c0e4ff0 4 API calls 100395->100322 100396->100308 100396->100395 100397->100308 100397->100322 100397->100328 100397->100329 100397->100330 100397->100356 100397->100363 100399 6c0daed4 100398->100399 100400 6c0daed6 FindFirstFileA 100398->100400 100399->100400 100402 6c0daf10 100400->100402 100401 6c0daf14 FindClose 100401->100402 100402->100401 100403 6c0daf72 100402->100403 100403->100318 100405 6c0e50ca 100404->100405 100406 6c0e5080 WaitForSingleObject CloseHandle CloseHandle 100405->100406 100407 6c0e50e3 100405->100407 100406->100405 100407->100327 100409 6c0e59b7 100408->100409 100441 6c0e5ff0 100409->100441 100411 6c0e59c8 100460 6bf86ba0 100411->100460 100414 6c0e5a9f std::ios_base::_Ios_base_dtor 100416 6bfae010 67 API calls 100414->100416 100422 6c0e5ae2 std::ios_base::_Ios_base_dtor 100416->100422 100417 6c0e59ec 100418 6c0e5a54 100417->100418 100424 6c0e5a67 100417->100424 100479 6c0e6340 100417->100479 100487 6bfc2000 100417->100487 100497 6c0e5b90 100418->100497 100421 6c0e5a5c 100518 6bf87090 100421->100518 100422->100342 100512 6bfae010 100424->100512 100426 6c0e6a48 100425->100426 100427 6c0e6a62 100426->100427 100430 6c0e6a64 std::_Facet_Register 100426->100430 100977 6c0ef014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100426->100977 100427->100315 100429 6c0e78c3 std::_Facet_Register 100981 6c0e9379 RaiseException 100429->100981 100430->100429 100978 6c0e9379 RaiseException 100430->100978 100432 6c0e80bc IsProcessorFeaturePresent 100438 6c0e80e1 100432->100438 100434 6c0e7883 100979 6c0e9379 RaiseException 100434->100979 100436 6c0e78a3 std::invalid_argument::invalid_argument 100980 6c0e9379 RaiseException 100436->100980 100438->100315 100440->100332 100442 6c0e6025 100441->100442 100531 6bfb2020 100442->100531 100444 6c0e60c6 100445 6c0e6a43 std::_Facet_Register 4 API calls 100444->100445 100446 6c0e60fe 100445->100446 100548 6c0e7327 100446->100548 100448 6c0e6112 100560 6bfb1d90 100448->100560 100450 6c0e61ec 100450->100411 100453 6c0e6226 100568 6bfb26e0 24 API calls 4 library calls 100453->100568 100455 6c0e6238 100569 6c0e9379 RaiseException 100455->100569 100457 6c0e624d 100458 6bfae010 67 API calls 100457->100458 100459 6c0e625f 100458->100459 100459->100411 100461 6bf86bd5 100460->100461 100462 6bfb2020 52 API calls 100461->100462 100463 6bf86c68 100462->100463 100464 6c0e6a43 std::_Facet_Register 4 API calls 100463->100464 100465 6bf86ca0 100464->100465 100466 6c0e7327 43 API calls 100465->100466 100467 6bf86cb4 100466->100467 100468 6bfb1d90 89 API calls 100467->100468 100469 6bf86d5d 100468->100469 100470 6bf86d8e 100469->100470 100879 6bfb2250 30 API calls 100469->100879 100470->100417 100472 6bf86dc8 100880 6bfb26e0 24 API calls 4 library calls 100472->100880 100474 6bf86dda 100881 6c0e9379 RaiseException 100474->100881 100476 6bf86def 100477 6bfae010 67 API calls 100476->100477 100478 6bf86e0f 100477->100478 100478->100417 100480 6c0e638d 100479->100480 100882 6c0e65a0 100480->100882 100482 6c0e647c 100482->100417 100485 6c0e63a5 100485->100482 100900 6bfb2250 30 API calls 100485->100900 100901 6bfb26e0 24 API calls 4 library calls 100485->100901 100902 6c0e9379 RaiseException 100485->100902 100488 6bfc203f 100487->100488 100491 6bfc2053 100488->100491 100911 6bfb3560 32 API calls std::_Xinvalid_argument 100488->100911 100493 6bfc210e 100491->100493 100913 6bfb2250 30 API calls 100491->100913 100914 6bfb26e0 24 API calls 4 library calls 100491->100914 100915 6c0e9379 RaiseException 100491->100915 100494 6bfc2121 100493->100494 100912 6bfb37e0 32 API calls std::_Xinvalid_argument 100493->100912 100494->100417 100498 6c0e5b9e 100497->100498 100502 6c0e5bd1 100497->100502 100916 6bfb01f0 100498->100916 100500 6c0e5c83 100500->100421 100502->100500 100920 6bfb2250 30 API calls 100502->100920 100503 6c0f0b18 67 API calls 100503->100502 100505 6c0e5cae 100921 6bfb2340 24 API calls 100505->100921 100507 6c0e5cbe 100922 6c0e9379 RaiseException 100507->100922 100509 6c0e5cc9 100510 6bfae010 67 API calls 100509->100510 100511 6c0e5d22 std::ios_base::_Ios_base_dtor 100510->100511 100511->100421 100514 6bfae04b 100512->100514 100513 6bfae0a3 100513->100414 100514->100513 100515 6bfb01f0 64 API calls 100514->100515 100516 6bfae098 100515->100516 100517 6c0f0b18 67 API calls 100516->100517 100517->100513 100519 6bf8709e 100518->100519 100520 6bf870d1 100518->100520 100521 6bfb01f0 64 API calls 100519->100521 100522 6bf87183 100520->100522 100974 6bfb2250 30 API calls 100520->100974 100523 6bf870c4 100521->100523 100522->100424 100525 6c0f0b18 67 API calls 100523->100525 100525->100520 100526 6bf871ae 100975 6bfb2340 24 API calls 100526->100975 100528 6bf871be 100976 6c0e9379 RaiseException 100528->100976 100530 6bf871c9 100532 6c0e6a43 std::_Facet_Register 4 API calls 100531->100532 100533 6bfb207e 100532->100533 100534 6c0e7327 43 API calls 100533->100534 100535 6bfb2092 100534->100535 100570 6bfb2f60 42 API calls 4 library calls 100535->100570 100537 6bfb20c8 100538 6bfb210d 100537->100538 100539 6bfb2136 100537->100539 100540 6bfb2120 100538->100540 100571 6c0e6f8e 9 API calls 2 library calls 100538->100571 100572 6bfb2250 30 API calls 100539->100572 100540->100444 100543 6bfb215b 100573 6bfb2340 24 API calls 100543->100573 100545 6bfb2171 100574 6c0e9379 RaiseException 100545->100574 100547 6bfb217c 100547->100444 100549 6c0e7333 __EH_prolog3 100548->100549 100575 6c0e6eb5 100549->100575 100553 6c0e7351 100589 6c0e73ba 39 API calls std::locale::_Setgloballocale 100553->100589 100555 6c0e73ac 100555->100448 100557 6c0e7359 100590 6c0e71b1 HeapFree GetLastError _Yarn 100557->100590 100559 6c0e736f 100581 6c0e6ee6 100559->100581 100561 6bfb1ddc 100560->100561 100562 6bfb1dc7 100560->100562 100595 6c0e7447 100561->100595 100562->100450 100567 6bfb2250 30 API calls 100562->100567 100566 6bfb1e82 100567->100453 100568->100455 100569->100457 100570->100537 100571->100540 100572->100543 100573->100545 100574->100547 100576 6c0e6ecb 100575->100576 100577 6c0e6ec4 100575->100577 100580 6c0e6ec9 100576->100580 100592 6c0e858b EnterCriticalSection 100576->100592 100591 6c0f03cd 6 API calls std::_Lockit::_Lockit 100577->100591 100580->100559 100588 6c0e7230 6 API calls 2 library calls 100580->100588 100582 6c0f03db 100581->100582 100583 6c0e6ef0 100581->100583 100594 6c0f03b6 LeaveCriticalSection 100582->100594 100587 6c0e6f03 100583->100587 100593 6c0e8599 LeaveCriticalSection 100583->100593 100585 6c0f03e2 100585->100555 100587->100555 100588->100553 100589->100557 100590->100559 100591->100580 100592->100580 100593->100587 100594->100585 100597 6c0e7450 100595->100597 100596 6bfb1dea 100596->100562 100603 6c0ec563 18 API calls __fassign 100596->100603 100597->100596 100604 6c0efd4a 100597->100604 100599 6c0e749c 100599->100596 100615 6c0efa58 65 API calls 100599->100615 100601 6c0e74b7 100601->100596 100616 6c0f0b18 100601->100616 100603->100566 100605 6c0efd55 __wsopen_s 100604->100605 100606 6c0efd68 100605->100606 100608 6c0efd88 100605->100608 100641 6c0f0120 18 API calls __fassign 100606->100641 100611 6c0efd78 100608->100611 100627 6c0fae0c 100608->100627 100611->100599 100615->100601 100617 6c0f0b24 __wsopen_s 100616->100617 100618 6c0f0b2e 100617->100618 100619 6c0f0b43 100617->100619 100765 6c0f0120 18 API calls __fassign 100618->100765 100623 6c0f0b3e 100619->100623 100750 6c0ec5a9 EnterCriticalSection 100619->100750 100622 6c0f0b60 100751 6c0f0b9c 100622->100751 100623->100596 100625 6c0f0b6b 100766 6c0f0b92 LeaveCriticalSection 100625->100766 100628 6c0fae18 __wsopen_s 100627->100628 100643 6c0f039f EnterCriticalSection 100628->100643 100630 6c0fae26 100644 6c0faeb0 100630->100644 100635 6c0faf72 100636 6c0fb091 100635->100636 100668 6c0fb114 100636->100668 100639 6c0efdcc 100642 6c0efdf5 LeaveCriticalSection 100639->100642 100641->100611 100642->100611 100643->100630 100645 6c0faed3 100644->100645 100646 6c0faf2b 100645->100646 100653 6c0fae33 100645->100653 100661 6c0ec5a9 EnterCriticalSection 100645->100661 100662 6c0ec5bd LeaveCriticalSection 100645->100662 100663 6c0f71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100646->100663 100648 6c0faf34 100664 6c0f47bb HeapFree GetLastError __dosmaperr 100648->100664 100651 6c0faf3d 100651->100653 100665 6c0f6c1f 6 API calls std::_Lockit::_Lockit 100651->100665 100658 6c0fae6c 100653->100658 100654 6c0faf5c 100666 6c0ec5a9 EnterCriticalSection 100654->100666 100657 6c0faf6f 100657->100653 100667 6c0f03b6 LeaveCriticalSection 100658->100667 100660 6c0efda3 100660->100611 100660->100635 100661->100645 100662->100645 100663->100648 100664->100651 100665->100654 100666->100657 100667->100660 100669 6c0fb133 100668->100669 100670 6c0fb146 100669->100670 100674 6c0fb15b 100669->100674 100684 6c0f0120 18 API calls __fassign 100670->100684 100672 6c0fb0a7 100672->100639 100681 6c103fde 100672->100681 100679 6c0fb27b 100674->100679 100685 6c103ea8 37 API calls __fassign 100674->100685 100676 6c0fb2cb 100676->100679 100686 6c103ea8 37 API calls __fassign 100676->100686 100678 6c0fb2e9 100678->100679 100687 6c103ea8 37 API calls __fassign 100678->100687 100679->100672 100688 6c0f0120 18 API calls __fassign 100679->100688 100689 6c104396 100681->100689 100684->100672 100685->100676 100686->100678 100687->100679 100688->100672 100691 6c1043a2 __wsopen_s 100689->100691 100690 6c1043a9 100707 6c0f0120 18 API calls __fassign 100690->100707 100691->100690 100692 6c1043d4 100691->100692 100698 6c103ffe 100692->100698 100696 6c103ff9 100696->100639 100709 6c0f06cb 100698->100709 100703 6c104034 100705 6c104066 100703->100705 100749 6c0f47bb HeapFree GetLastError __dosmaperr 100703->100749 100708 6c10442b LeaveCriticalSection __wsopen_s 100705->100708 100707->100696 100708->100696 100710 6c0ebceb __fassign 37 API calls 100709->100710 100711 6c0f06dd 100710->100711 100712 6c0f06ef 100711->100712 100713 6c0f69d5 __wsopen_s 5 API calls 100711->100713 100714 6c0ebdf6 100712->100714 100713->100712 100715 6c0ebe4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100714->100715 100716 6c0ebe0e 100715->100716 100716->100703 100717 6c10406c 100716->100717 100718 6c1044ec __wsopen_s 18 API calls 100717->100718 100719 6c104089 100718->100719 100720 6c10160c __wsopen_s 14 API calls 100719->100720 100723 6c10409e __dosmaperr 100719->100723 100721 6c1040bc 100720->100721 100722 6c104457 __wsopen_s CreateFileW 100721->100722 100721->100723 100726 6c104115 100722->100726 100723->100703 100724 6c104192 GetFileType 100725 6c10419d GetLastError 100724->100725 100729 6c1041e4 100724->100729 100728 6c0ef9f2 __dosmaperr 100725->100728 100726->100724 100727 6c104167 GetLastError 100726->100727 100731 6c104457 __wsopen_s CreateFileW 100726->100731 100727->100723 100730 6c1041ab CloseHandle 100728->100730 100732 6c1017b0 __wsopen_s SetStdHandle 100729->100732 100730->100723 100746 6c1041d4 100730->100746 100733 6c10415a 100731->100733 100734 6c104205 100732->100734 100733->100724 100733->100727 100735 6c104251 100734->100735 100737 6c104666 __wsopen_s 70 API calls 100734->100737 100736 6c104710 __wsopen_s 70 API calls 100735->100736 100739 6c104258 100735->100739 100738 6c104286 100736->100738 100737->100735 100738->100739 100740 6c104294 100738->100740 100741 6c0fb925 __wsopen_s 21 API calls 100739->100741 100740->100723 100742 6c104310 CloseHandle 100740->100742 100741->100723 100743 6c104457 __wsopen_s CreateFileW 100742->100743 100744 6c10433b 100743->100744 100745 6c104345 GetLastError 100744->100745 100744->100746 100747 6c104351 __dosmaperr 100745->100747 100746->100723 100748 6c10171f __wsopen_s SetStdHandle 100747->100748 100748->100746 100749->100705 100750->100622 100752 6c0f0bbe 100751->100752 100753 6c0f0ba9 100751->100753 100757 6c0f0bb9 100752->100757 100767 6c0f0cb9 100752->100767 100789 6c0f0120 18 API calls __fassign 100753->100789 100757->100625 100761 6c0f0be1 100782 6c0fb898 100761->100782 100763 6c0f0be7 100763->100757 100790 6c0f47bb HeapFree GetLastError __dosmaperr 100763->100790 100765->100623 100766->100623 100768 6c0f0cd1 100767->100768 100772 6c0f0bd3 100767->100772 100769 6c0f9c60 18 API calls 100768->100769 100768->100772 100770 6c0f0cef 100769->100770 100791 6c0fbb6c 100770->100791 100773 6c0f873e 100772->100773 100774 6c0f8755 100773->100774 100776 6c0f0bdb 100773->100776 100774->100776 100847 6c0f47bb HeapFree GetLastError __dosmaperr 100774->100847 100777 6c0f9c60 100776->100777 100778 6c0f9c6c 100777->100778 100779 6c0f9c81 100777->100779 100848 6c0f0120 18 API calls __fassign 100778->100848 100779->100761 100781 6c0f9c7c 100781->100761 100783 6c0fb8be 100782->100783 100784 6c0fb8a9 __dosmaperr 100782->100784 100785 6c0fb907 __dosmaperr 100783->100785 100786 6c0fb8e5 100783->100786 100784->100763 100857 6c0f0120 18 API calls __fassign 100785->100857 100849 6c0fb9c1 100786->100849 100789->100757 100790->100757 100794 6c0fbb78 __wsopen_s 100791->100794 100792 6c0fbb80 __dosmaperr 100792->100772 100793 6c0fbc33 __dosmaperr 100832 6c0f0120 18 API calls __fassign 100793->100832 100794->100792 100794->100793 100795 6c0fbbca 100794->100795 100802 6c101990 EnterCriticalSection 100795->100802 100797 6c0fbbd0 100800 6c0fbbec __dosmaperr 100797->100800 100803 6c0fbc5e 100797->100803 100831 6c0fbc2b LeaveCriticalSection __wsopen_s 100800->100831 100802->100797 100804 6c0fbc80 100803->100804 100830 6c0fbc9c __dosmaperr 100803->100830 100805 6c0fbcd4 100804->100805 100807 6c0fbc84 __dosmaperr 100804->100807 100806 6c0fbce7 100805->100806 100841 6c0fac69 20 API calls __wsopen_s 100805->100841 100833 6c0fbe40 100806->100833 100840 6c0f0120 18 API calls __fassign 100807->100840 100812 6c0fbcfd 100816 6c0fbd26 100812->100816 100817 6c0fbd01 100812->100817 100813 6c0fbd3c 100814 6c0fbd95 WriteFile 100813->100814 100815 6c0fbd50 100813->100815 100818 6c0fbdb9 GetLastError 100814->100818 100814->100830 100820 6c0fbd5b 100815->100820 100821 6c0fbd85 100815->100821 100843 6c0fbeb1 43 API calls 5 library calls 100816->100843 100817->100830 100842 6c0fc25b 6 API calls __wsopen_s 100817->100842 100818->100830 100824 6c0fbd75 100820->100824 100825 6c0fbd60 100820->100825 100846 6c0fc2c3 7 API calls 2 library calls 100821->100846 100845 6c0fc487 8 API calls 3 library calls 100824->100845 100827 6c0fbd65 100825->100827 100825->100830 100826 6c0fbd73 100826->100830 100844 6c0fc39e 7 API calls 2 library calls 100827->100844 100830->100800 100831->100792 100832->100792 100834 6c1019e5 __wsopen_s 18 API calls 100833->100834 100835 6c0fbe51 100834->100835 100836 6c0fbcf8 100835->100836 100837 6c0f49b2 __Getctype 37 API calls 100835->100837 100836->100812 100836->100813 100838 6c0fbe74 100837->100838 100838->100836 100839 6c0fbe8e GetConsoleMode 100838->100839 100839->100836 100840->100830 100841->100806 100842->100830 100843->100830 100844->100826 100845->100826 100846->100826 100847->100776 100848->100781 100850 6c0fb9cd __wsopen_s 100849->100850 100858 6c101990 EnterCriticalSection 100850->100858 100852 6c0fb9db 100854 6c0fba08 100852->100854 100859 6c0fb925 100852->100859 100872 6c0fba41 LeaveCriticalSection __wsopen_s 100854->100872 100856 6c0fba2a 100856->100784 100857->100784 100858->100852 100873 6c1015a2 100859->100873 100861 6c0fb93b 100878 6c10171f SetStdHandle __dosmaperr __wsopen_s 100861->100878 100862 6c0fb935 100862->100861 100863 6c0fb96d 100862->100863 100865 6c1015a2 __wsopen_s 18 API calls 100862->100865 100863->100861 100866 6c1015a2 __wsopen_s 18 API calls 100863->100866 100867 6c0fb964 100865->100867 100868 6c0fb979 CloseHandle 100866->100868 100869 6c1015a2 __wsopen_s 18 API calls 100867->100869 100868->100861 100870 6c0fb985 GetLastError 100868->100870 100869->100863 100870->100861 100871 6c0fb993 __dosmaperr 100871->100854 100872->100856 100874 6c1015af __dosmaperr 100873->100874 100876 6c1015c4 __dosmaperr 100873->100876 100874->100862 100875 6c1015e9 100875->100862 100876->100875 100877 6c0f0120 __fassign 18 API calls 100876->100877 100877->100874 100878->100871 100879->100472 100880->100474 100881->100476 100883 6c0e65dc 100882->100883 100884 6c0e6608 100882->100884 100898 6c0e6601 100883->100898 100905 6bfb2250 30 API calls 100883->100905 100890 6c0e6619 100884->100890 100903 6bfb3560 32 API calls std::_Xinvalid_argument 100884->100903 100887 6c0e67e8 100906 6bfb2340 24 API calls 100887->100906 100889 6c0e67f7 100907 6c0e9379 RaiseException 100889->100907 100890->100898 100904 6bfb2f60 42 API calls 4 library calls 100890->100904 100894 6c0e6827 100909 6bfb2340 24 API calls 100894->100909 100896 6c0e683d 100910 6c0e9379 RaiseException 100896->100910 100898->100485 100899 6c0e6653 100899->100898 100908 6bfb2250 30 API calls 100899->100908 100900->100485 100901->100485 100902->100485 100903->100890 100904->100899 100905->100887 100906->100889 100907->100899 100908->100894 100909->100896 100910->100898 100911->100491 100912->100494 100913->100491 100914->100491 100915->100491 100917 6bfb022e 100916->100917 100918 6bfb04d6 100917->100918 100923 6c0f17db 100917->100923 100918->100503 100920->100505 100921->100507 100922->100509 100924 6c0f17e9 100923->100924 100925 6c0f1806 100923->100925 100924->100925 100926 6c0f180a 100924->100926 100928 6c0f17f6 100924->100928 100925->100917 100931 6c0f1a02 100926->100931 100939 6c0f0120 18 API calls __fassign 100928->100939 100932 6c0f1a0e __wsopen_s 100931->100932 100940 6c0ec5a9 EnterCriticalSection 100932->100940 100934 6c0f1a1c 100941 6c0f19bf 100934->100941 100938 6c0f183c 100938->100917 100939->100925 100940->100934 100949 6c0f85a6 100941->100949 100947 6c0f19f9 100948 6c0f1a51 LeaveCriticalSection 100947->100948 100948->100938 100950 6c0f9c60 18 API calls 100949->100950 100951 6c0f85b7 100950->100951 100966 6c1019e5 100951->100966 100953 6c0f85bd __wsopen_s 100954 6c0f19d3 100953->100954 100971 6c0f47bb HeapFree GetLastError __dosmaperr 100953->100971 100956 6c0f183e 100954->100956 100958 6c0f1850 100956->100958 100960 6c0f186e 100956->100960 100957 6c0f185e 100973 6c0f0120 18 API calls __fassign 100957->100973 100958->100957 100958->100960 100963 6c0f1886 _Yarn 100958->100963 100965 6c0f8659 62 API calls 100960->100965 100961 6c0f0cb9 62 API calls 100961->100963 100962 6c0f9c60 18 API calls 100962->100963 100963->100960 100963->100961 100963->100962 100964 6c0fbb6c __wsopen_s 62 API calls 100963->100964 100964->100963 100965->100947 100968 6c1019ff 100966->100968 100969 6c1019f2 100966->100969 100967 6c101a0b 100967->100953 100968->100967 100972 6c0f0120 18 API calls __fassign 100968->100972 100969->100953 100971->100954 100972->100969 100973->100960 100974->100526 100975->100528 100976->100530 100977->100426 100978->100434 100979->100436 100980->100429 100981->100432 100982 6c0eef3f 100983 6c0eef4b __wsopen_s 100982->100983 100984 6c0eef5f 100983->100984 100985 6c0eef52 GetLastError ExitThread 100983->100985 100994 6c0f49b2 GetLastError 100984->100994 100990 6c0eef7b 101027 6c0eeeaa 16 API calls 2 library calls 100990->101027 100993 6c0eef9d 100995 6c0f49c9 100994->100995 100996 6c0f49cf 100994->100996 101028 6c0f6b23 6 API calls std::_Lockit::_Lockit 100995->101028 101000 6c0f49d5 SetLastError 100996->101000 101029 6c0f6b62 6 API calls std::_Lockit::_Lockit 100996->101029 100999 6c0f49ed 100999->101000 101001 6c0f49f1 100999->101001 101007 6c0f4a69 101000->101007 101008 6c0eef64 101000->101008 101030 6c0f71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 101001->101030 101004 6c0f49fd 101005 6c0f4a1c 101004->101005 101006 6c0f4a05 101004->101006 101033 6c0f6b62 6 API calls std::_Lockit::_Lockit 101005->101033 101031 6c0f6b62 6 API calls std::_Lockit::_Lockit 101006->101031 101036 6c0f0ac9 37 API calls std::locale::_Setgloballocale 101007->101036 101021 6c0f9d66 101008->101021 101012 6c0f4a28 101015 6c0f4a3d 101012->101015 101016 6c0f4a2c 101012->101016 101013 6c0f4a13 101032 6c0f47bb HeapFree GetLastError __dosmaperr 101013->101032 101035 6c0f47bb HeapFree GetLastError __dosmaperr 101015->101035 101034 6c0f6b62 6 API calls std::_Lockit::_Lockit 101016->101034 101019 6c0f4a19 101019->101000 101022 6c0f9d78 GetPEB 101021->101022 101023 6c0eef6f 101021->101023 101022->101023 101024 6c0f9d8b 101022->101024 101023->100990 101026 6c0f6d6f 5 API calls std::_Lockit::_Lockit 101023->101026 101037 6c0f6e18 5 API calls std::_Lockit::_Lockit 101024->101037 101026->100990 101027->100993 101028->100996 101029->100999 101030->101004 101031->101013 101032->101019 101033->101012 101034->101013 101035->101019 101037->101023 101038 6bf63d62 101040 6bf63bc0 101038->101040 101039 6bf63e8a GetCurrentThread NtSetInformationThread 101041 6bf63eea 101039->101041 101040->101039 101042 6bf73b72 101043 6c0e6a43 std::_Facet_Register 4 API calls 101042->101043 101046 6bf737e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101043->101046 101044 6c0daec0 2 API calls 101044->101046 101046->101044 101047 6bf86ba0 104 API calls 101046->101047 101049 6bf87090 77 API calls 101046->101049 101050 6bfae010 67 API calls 101046->101050 101051 6bf8639e 101046->101051 101055 6bf86e60 101046->101055 101047->101046 101049->101046 101050->101046 101065 6c0f0130 18 API calls 2 library calls 101051->101065 101056 6bf86e9f 101055->101056 101059 6bf86eb3 101056->101059 101066 6bfb3560 32 API calls std::_Xinvalid_argument 101056->101066 101061 6bf86f5b 101059->101061 101068 6bfb2250 30 API calls 101059->101068 101069 6bfb26e0 24 API calls 4 library calls 101059->101069 101070 6c0e9379 RaiseException 101059->101070 101064 6bf86f6e 101061->101064 101067 6bfb37e0 32 API calls std::_Xinvalid_argument 101061->101067 101064->101046 101066->101059 101067->101064 101068->101059 101069->101059 101070->101059 101071 6bf64b53 101072 6c0e6a43 std::_Facet_Register 4 API calls 101071->101072 101073 6bf64b5c _Yarn 101072->101073 101074 6c0daec0 2 API calls 101073->101074 101079 6bf64bae std::ios_base::_Ios_base_dtor 101074->101079 101075 6bf8639e 101252 6c0f0130 18 API calls 2 library calls 101075->101252 101077 6bf64cff 101078 6bf65164 CreateFileA CloseHandle 101083 6bf651ec 101078->101083 101079->101075 101079->101077 101079->101078 101080 6bf7245a _Yarn _strlen 101079->101080 101080->101075 101082 6c0daec0 2 API calls 101080->101082 101089 6bf72a83 std::ios_base::_Ios_base_dtor 101082->101089 101229 6c0e5120 OpenSCManagerA 101083->101229 101085 6bf6fc00 101245 6c0e5240 CreateToolhelp32Snapshot 101085->101245 101088 6c0e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101124 6bf65478 std::ios_base::_Ios_base_dtor _Yarn _strlen 101088->101124 101089->101075 101233 6c0d0390 101089->101233 101091 6bf737d0 Sleep 101135 6bf737e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101091->101135 101092 6c0daec0 2 API calls 101092->101124 101093 6bf863b2 101253 6bf615e0 18 API calls std::ios_base::_Ios_base_dtor 101093->101253 101094 6c0e5240 4 API calls 101111 6bf7053a 101094->101111 101095 6c0e5240 4 API calls 101117 6bf712e2 101095->101117 101097 6bf864f8 101098 6bf6ffe3 101098->101094 101102 6bf70abc 101098->101102 101099 6bf86ba0 104 API calls 101099->101124 101100 6bf86e60 32 API calls 101100->101124 101102->101080 101102->101095 101103 6bf87090 77 API calls 101103->101124 101104 6c0e5240 4 API calls 101104->101102 101105 6c0e5240 4 API calls 101121 6bf71dd9 101105->101121 101106 6bf7211c 101106->101080 101107 6bf7241a 101106->101107 101110 6c0d0390 11 API calls 101107->101110 101108 6c0daec0 2 API calls 101108->101135 101109 6bfae010 67 API calls 101109->101124 101113 6bf7244d 101110->101113 101111->101102 101111->101104 101112 6bf66722 101242 6c0e1880 25 API calls 4 library calls 101112->101242 101251 6c0e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101113->101251 101115 6bf72452 Sleep 101115->101080 101116 6bf66162 101117->101105 101117->101106 101128 6bf716ac 101117->101128 101118 6bf6740b 101119 6c0e4ff0 4 API calls 101118->101119 101127 6bf6775a _strlen 101119->101127 101120 6c0e5240 4 API calls 101120->101106 101121->101106 101121->101120 101122 6bf86ba0 104 API calls 101122->101135 101123 6bf86e60 32 API calls 101123->101135 101124->101075 101124->101085 101124->101088 101124->101092 101124->101099 101124->101100 101124->101103 101124->101109 101124->101112 101124->101116 101125 6bf87090 77 API calls 101125->101135 101126 6bfae010 67 API calls 101126->101135 101127->101075 101129 6bf67b92 101127->101129 101130 6bf67ba9 101127->101130 101133 6bf67b43 _Yarn 101127->101133 101131 6c0e6a43 std::_Facet_Register 4 API calls 101129->101131 101132 6c0e6a43 std::_Facet_Register 4 API calls 101130->101132 101131->101133 101132->101133 101134 6c0daec0 2 API calls 101133->101134 101144 6bf67be7 std::ios_base::_Ios_base_dtor 101134->101144 101135->101075 101135->101108 101135->101122 101135->101123 101135->101125 101135->101126 101136 6c0e4ff0 4 API calls 101147 6bf68a07 101136->101147 101137 6bf69d7f 101141 6c0e6a43 std::_Facet_Register 4 API calls 101137->101141 101138 6bf69d68 101140 6c0e6a43 std::_Facet_Register 4 API calls 101138->101140 101139 6bf6962c _strlen 101139->101075 101139->101137 101139->101138 101142 6bf69d18 _Yarn 101139->101142 101140->101142 101141->101142 101143 6c0daec0 2 API calls 101142->101143 101150 6bf69dbd std::ios_base::_Ios_base_dtor 101143->101150 101144->101075 101144->101136 101144->101139 101145 6bf68387 101144->101145 101146 6c0e4ff0 4 API calls 101155 6bf69120 101146->101155 101147->101146 101148 6c0e4ff0 4 API calls 101165 6bf6a215 _strlen 101148->101165 101149 6c0e4ff0 4 API calls 101152 6bf69624 101149->101152 101150->101075 101150->101148 101158 6bf6e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101150->101158 101151 6c0e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101151->101158 101243 6c0e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101152->101243 101154 6c0daec0 2 API calls 101154->101158 101155->101149 101156 6bf6ed02 Sleep 101177 6bf6e8c1 101156->101177 101157 6bf6f7b1 101244 6c0e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101157->101244 101158->101075 101158->101151 101158->101154 101158->101156 101158->101157 101160 6bf6e8dd GetCurrentProcess TerminateProcess 101160->101158 101161 6bf6a9a4 101163 6c0e6a43 std::_Facet_Register 4 API calls 101161->101163 101162 6bf6a9bb 101164 6c0e6a43 std::_Facet_Register 4 API calls 101162->101164 101172 6bf6a953 _Yarn _strlen 101163->101172 101164->101172 101165->101075 101165->101161 101165->101162 101165->101172 101166 6c0e4ff0 4 API calls 101166->101177 101167 6bf6fbb8 101169 6bf6fbe8 ExitWindowsEx Sleep 101167->101169 101168 6bf6f7c0 101168->101167 101169->101085 101170 6bf6aff0 101173 6c0e6a43 std::_Facet_Register 4 API calls 101170->101173 101171 6bf6b009 101174 6c0e6a43 std::_Facet_Register 4 API calls 101171->101174 101172->101093 101172->101170 101172->101171 101175 6bf6afa0 _Yarn 101172->101175 101173->101175 101174->101175 101176 6c0e5960 104 API calls 101175->101176 101178 6bf6b059 std::ios_base::_Ios_base_dtor _strlen 101176->101178 101177->101158 101177->101160 101177->101166 101178->101075 101179 6bf6b443 101178->101179 101180 6bf6b42c 101178->101180 101183 6bf6b3da _Yarn _strlen 101178->101183 101182 6c0e6a43 std::_Facet_Register 4 API calls 101179->101182 101181 6c0e6a43 std::_Facet_Register 4 API calls 101180->101181 101181->101183 101182->101183 101183->101093 101184 6bf6b7b7 101183->101184 101185 6bf6b79e 101183->101185 101188 6bf6b751 _Yarn 101183->101188 101187 6c0e6a43 std::_Facet_Register 4 API calls 101184->101187 101186 6c0e6a43 std::_Facet_Register 4 API calls 101185->101186 101186->101188 101187->101188 101189 6c0e5960 104 API calls 101188->101189 101190 6bf6b804 std::ios_base::_Ios_base_dtor _strlen 101189->101190 101190->101075 101191 6bf6bc26 101190->101191 101192 6bf6bc0f 101190->101192 101195 6bf6bbbd _Yarn _strlen 101190->101195 101193 6c0e6a43 std::_Facet_Register 4 API calls 101191->101193 101194 6c0e6a43 std::_Facet_Register 4 API calls 101192->101194 101193->101195 101194->101195 101195->101093 101196 6bf6c075 101195->101196 101197 6bf6c08e 101195->101197 101200 6bf6c028 _Yarn 101195->101200 101198 6c0e6a43 std::_Facet_Register 4 API calls 101196->101198 101199 6c0e6a43 std::_Facet_Register 4 API calls 101197->101199 101198->101200 101199->101200 101201 6c0e5960 104 API calls 101200->101201 101206 6bf6c0db std::ios_base::_Ios_base_dtor _strlen 101201->101206 101202 6bf6c7a5 101204 6c0e6a43 std::_Facet_Register 4 API calls 101202->101204 101203 6bf6c7bc 101205 6c0e6a43 std::_Facet_Register 4 API calls 101203->101205 101213 6bf6c753 _Yarn _strlen 101204->101213 101205->101213 101206->101075 101206->101202 101206->101203 101206->101213 101207 6bf6d406 101210 6c0e6a43 std::_Facet_Register 4 API calls 101207->101210 101208 6bf6d3ed 101209 6c0e6a43 std::_Facet_Register 4 API calls 101208->101209 101211 6bf6d39a _Yarn 101209->101211 101210->101211 101212 6c0e5960 104 API calls 101211->101212 101214 6bf6d458 std::ios_base::_Ios_base_dtor _strlen 101212->101214 101213->101093 101213->101207 101213->101208 101213->101211 101219 6bf6cb2f 101213->101219 101214->101075 101215 6bf6d8a4 101214->101215 101216 6bf6d8bb 101214->101216 101220 6bf6d852 _Yarn _strlen 101214->101220 101217 6c0e6a43 std::_Facet_Register 4 API calls 101215->101217 101218 6c0e6a43 std::_Facet_Register 4 API calls 101216->101218 101217->101220 101218->101220 101220->101093 101221 6bf6dcb6 101220->101221 101222 6bf6dccf 101220->101222 101225 6bf6dc69 _Yarn 101220->101225 101223 6c0e6a43 std::_Facet_Register 4 API calls 101221->101223 101224 6c0e6a43 std::_Facet_Register 4 API calls 101222->101224 101223->101225 101224->101225 101226 6c0e5960 104 API calls 101225->101226 101228 6bf6dd1c std::ios_base::_Ios_base_dtor 101226->101228 101227 6c0e4ff0 4 API calls 101227->101158 101228->101075 101228->101227 101230 6c0e5156 101229->101230 101231 6c0e51e8 OpenServiceA 101230->101231 101232 6c0e522f 101230->101232 101231->101230 101232->101124 101238 6c0d03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101233->101238 101234 6c0d3f5f CloseHandle 101234->101238 101235 6c0d310e CloseHandle 101235->101238 101236 6c0d251b CloseHandle 101236->101238 101237 6bf737cb 101241 6c0e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101237->101241 101238->101234 101238->101235 101238->101236 101238->101237 101239 6c0bc1e0 WriteFile WriteFile WriteFile ReadFile 101238->101239 101254 6c0bb730 101238->101254 101239->101238 101241->101091 101242->101118 101243->101139 101244->101168 101247 6c0e52a0 std::locale::_Setgloballocale 101245->101247 101246 6c0e5277 CloseHandle 101246->101247 101247->101246 101248 6c0e5320 Process32NextW 101247->101248 101249 6c0e53b1 101247->101249 101250 6c0e5345 Process32FirstW 101247->101250 101248->101247 101249->101098 101250->101247 101251->101115 101253->101097 101255 6c0bb743 _Yarn __wsopen_s std::locale::_Setgloballocale 101254->101255 101256 6c0bc180 101255->101256 101257 6c0bbced CreateFileA 101255->101257 101259 6c0baa30 101255->101259 101256->101238 101257->101255 101262 6c0baa43 __wsopen_s std::locale::_Setgloballocale 101259->101262 101260 6c0bb3e9 WriteFile 101260->101262 101261 6c0bb43d WriteFile 101261->101262 101262->101260 101262->101261 101263 6c0bb718 101262->101263 101264 6c0bab95 ReadFile 101262->101264 101263->101255 101264->101262 101265 6c0fcad3 101266 6c0fcafd 101265->101266 101267 6c0fcae5 __dosmaperr 101265->101267 101266->101267 101269 6c0fcb48 __dosmaperr 101266->101269 101270 6c0fcb77 101266->101270 101307 6c0f0120 18 API calls __fassign 101269->101307 101271 6c0fcb90 101270->101271 101272 6c0fcbab __dosmaperr 101270->101272 101274 6c0fcbe7 __wsopen_s 101270->101274 101271->101272 101292 6c0fcb95 101271->101292 101300 6c0f0120 18 API calls __fassign 101272->101300 101273 6c1019e5 __wsopen_s 18 API calls 101275 6c0fcd3e 101273->101275 101301 6c0f47bb HeapFree GetLastError __dosmaperr 101274->101301 101278 6c0fcdb4 101275->101278 101281 6c0fcd57 GetConsoleMode 101275->101281 101280 6c0fcdb8 ReadFile 101278->101280 101279 6c0fcc07 101302 6c0f47bb HeapFree GetLastError __dosmaperr 101279->101302 101283 6c0fce2c GetLastError 101280->101283 101284 6c0fcdd2 101280->101284 101281->101278 101285 6c0fcd68 101281->101285 101296 6c0fcbc2 __dosmaperr __wsopen_s 101283->101296 101284->101283 101287 6c0fcda9 101284->101287 101285->101280 101288 6c0fcd6e ReadConsoleW 101285->101288 101286 6c0fcc0e 101286->101296 101303 6c0fac69 20 API calls __wsopen_s 101286->101303 101293 6c0fce0e 101287->101293 101294 6c0fcdf7 101287->101294 101287->101296 101288->101287 101291 6c0fcd8a GetLastError 101288->101291 101291->101296 101292->101273 101293->101296 101297 6c0fce25 101293->101297 101305 6c0fcefe 23 API calls 3 library calls 101294->101305 101304 6c0f47bb HeapFree GetLastError __dosmaperr 101296->101304 101306 6c0fd1b6 21 API calls __wsopen_s 101297->101306 101299 6c0fce2a 101299->101296 101300->101296 101301->101279 101302->101286 101303->101292 101304->101267 101305->101296 101306->101299 101307->101267
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: HR^
                                        • API String ID: 4218353326-1341859651
                                        • Opcode ID: 144cd2d8e29dce4a6562f38275828d46ae7303938938a0d27029408686c1cf18
                                        • Instruction ID: 347ddeab2d5e656cb8f9f3bccc1629ecc4eb6748ac916c0ad72504d901ae32b7
                                        • Opcode Fuzzy Hash: 144cd2d8e29dce4a6562f38275828d46ae7303938938a0d27029408686c1cf18
                                        • Instruction Fuzzy Hash: 7374F772644B028FC728CF28C8D0695B7F3EF95314B198A6DC4D68B765EB78B54ACB40
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }jk$;T55$L@^
                                        • API String ID: 0-4218709813
                                        • Opcode ID: b2692519a2566c18008611db325bd93e0d6ca8df1ccf4e5a166cca412c42acbd
                                        • Instruction ID: 8068077905dce373cc551c4cba65cff487dabff7b5f20ee04c3b48082669b780
                                        • Opcode Fuzzy Hash: b2692519a2566c18008611db325bd93e0d6ca8df1ccf4e5a166cca412c42acbd
                                        • Instruction Fuzzy Hash: 0134F8726447018FC738CF28D8D0A95B7E3EF95314B198ABEC0964B765EB78B54ACB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7677 6c0e5240-6c0e5275 CreateToolhelp32Snapshot 7678 6c0e52a0-6c0e52a9 7677->7678 7679 6c0e52ab-6c0e52b0 7678->7679 7680 6c0e52e0-6c0e52e5 7678->7680 7681 6c0e5315-6c0e531a 7679->7681 7682 6c0e52b2-6c0e52b7 7679->7682 7683 6c0e52eb-6c0e52f0 7680->7683 7684 6c0e5377-6c0e53a1 call 6c0f2c05 7680->7684 7687 6c0e53a6-6c0e53ab 7681->7687 7688 6c0e5320-6c0e5332 Process32NextW 7681->7688 7690 6c0e52b9-6c0e52be 7682->7690 7691 6c0e5334-6c0e535d call 6c0eb920 Process32FirstW 7682->7691 7685 6c0e5277-6c0e5292 CloseHandle 7683->7685 7686 6c0e52f2-6c0e52f7 7683->7686 7684->7678 7685->7678 7686->7678 7692 6c0e52f9-6c0e5313 7686->7692 7687->7678 7697 6c0e53b1-6c0e53bf 7687->7697 7694 6c0e5362-6c0e5372 7688->7694 7690->7678 7696 6c0e52c0-6c0e52d1 7690->7696 7691->7694 7692->7678 7694->7678 7696->7678
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C0E524E
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CreateSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3332741929-0
                                        • Opcode ID: 2327ac8bc789212c07d393f11c2c2f82020b72df717e20258822036f3cd74049
                                        • Instruction ID: 7c47bd64b3cd93f327efcf11045099e8ad020eb51f6addff0878827049e0c1b2
                                        • Opcode Fuzzy Hash: 2327ac8bc789212c07d393f11c2c2f82020b72df717e20258822036f3cd74049
                                        • Instruction Fuzzy Hash: 79316C78648301AFD7109F68C888B0ABBF4AF9A744F904D2EF598CB361D371D8488B53

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7821 6bf63886-6bf6388e 7822 6bf63894-6bf63896 7821->7822 7823 6bf63970-6bf6397d 7821->7823 7822->7823 7824 6bf6389c-6bf638b9 7822->7824 7825 6bf639f1-6bf639f8 7823->7825 7826 6bf6397f-6bf63989 7823->7826 7829 6bf638c0-6bf638c1 7824->7829 7827 6bf63ab5-6bf63aba 7825->7827 7828 6bf639fe-6bf63a03 7825->7828 7826->7824 7830 6bf6398f-6bf63994 7826->7830 7827->7824 7834 6bf63ac0-6bf63ac7 7827->7834 7831 6bf638d2-6bf638d4 7828->7831 7832 6bf63a09-6bf63a2f 7828->7832 7833 6bf6395e 7829->7833 7835 6bf63b16-6bf63b18 7830->7835 7836 6bf6399a-6bf6399f 7830->7836 7839 6bf63957-6bf6395c 7831->7839 7837 6bf63a35-6bf63a3a 7832->7837 7838 6bf638f8-6bf63955 7832->7838 7841 6bf63960-6bf63964 7833->7841 7834->7829 7840 6bf63acd-6bf63ad6 7834->7840 7835->7829 7842 6bf639a5-6bf639bf 7836->7842 7843 6bf6383b-6bf63855 call 6c0b1470 call 6c0b1480 7836->7843 7844 6bf63a40-6bf63a57 7837->7844 7845 6bf63b1d-6bf63b22 7837->7845 7838->7839 7839->7833 7840->7835 7846 6bf63ad8-6bf63aeb 7840->7846 7848 6bf63860-6bf63885 7841->7848 7849 6bf6396a 7841->7849 7850 6bf63a5a-6bf63a5d 7842->7850 7843->7848 7844->7850 7856 6bf63b24-6bf63b44 7845->7856 7857 6bf63b49-6bf63b50 7845->7857 7846->7838 7853 6bf63af1-6bf63af8 7846->7853 7848->7821 7855 6bf63ba1-6bf63bb6 7849->7855 7851 6bf63a87-6bf63aa7 7850->7851 7852 6bf63aa9-6bf63ab0 7850->7852 7851->7852 7852->7841 7862 6bf63b62-6bf63b85 7853->7862 7863 6bf63afa-6bf63aff 7853->7863 7861 6bf63bc0-6bf63bda call 6c0b1470 call 6c0b1480 7855->7861 7856->7851 7857->7829 7859 6bf63b56-6bf63b5d 7857->7859 7859->7841 7872 6bf63be0-6bf63bfe 7861->7872 7862->7838 7867 6bf63b8b 7862->7867 7863->7839 7867->7855 7875 6bf63c04-6bf63c11 7872->7875 7876 6bf63e7b 7872->7876 7877 6bf63c17-6bf63c20 7875->7877 7878 6bf63ce0-6bf63cea 7875->7878 7879 6bf63e81-6bf63ee0 call 6bf63750 GetCurrentThread NtSetInformationThread 7876->7879 7883 6bf63c26-6bf63c2d 7877->7883 7884 6bf63dc5 7877->7884 7881 6bf63cec-6bf63d0c 7878->7881 7882 6bf63d3a-6bf63d3c 7878->7882 7893 6bf63eea-6bf63f04 call 6c0b1470 call 6c0b1480 7879->7893 7887 6bf63d90-6bf63d95 7881->7887 7888 6bf63d70-6bf63d8d 7882->7888 7889 6bf63d3e-6bf63d45 7882->7889 7890 6bf63dc3 7883->7890 7891 6bf63c33-6bf63c3a 7883->7891 7885 6bf63dc6 7884->7885 7892 6bf63dc8-6bf63dcc 7885->7892 7895 6bf63d97-6bf63db8 7887->7895 7896 6bf63dba-6bf63dc1 7887->7896 7888->7887 7894 6bf63d50-6bf63d57 7889->7894 7890->7884 7897 6bf63e26-6bf63e2b 7891->7897 7898 6bf63c40-6bf63c5b 7891->7898 7892->7872 7904 6bf63dd2 7892->7904 7915 6bf63f75-6bf63fa1 7893->7915 7894->7885 7895->7884 7896->7890 7902 6bf63dd7-6bf63ddc 7896->7902 7899 6bf63e31 7897->7899 7900 6bf63c7b-6bf63cd0 7897->7900 7903 6bf63e1b-6bf63e24 7898->7903 7899->7861 7900->7894 7906 6bf63e36-6bf63e3d 7902->7906 7907 6bf63dde-6bf63e17 7902->7907 7903->7892 7905 6bf63e76-6bf63e79 7904->7905 7905->7879 7910 6bf63e3f-6bf63e5a 7906->7910 7911 6bf63e5c-6bf63e5f 7906->7911 7907->7903 7910->7903 7911->7900 7913 6bf63e65-6bf63e69 7911->7913 7913->7892 7913->7905 7919 6bf63fa3-6bf63fa8 7915->7919 7920 6bf64020-6bf64026 7915->7920 7921 6bf63fae-6bf63fcf 7919->7921 7922 6bf6407c-6bf64081 7919->7922 7923 6bf63f06-6bf63f35 7920->7923 7924 6bf6402c-6bf6403c 7920->7924 7925 6bf640aa-6bf640ae 7921->7925 7922->7925 7928 6bf64083-6bf6408a 7922->7928 7929 6bf63f38-6bf63f61 7923->7929 7926 6bf640b3-6bf640b8 7924->7926 7927 6bf6403e-6bf64058 7924->7927 7930 6bf63f6b-6bf63f6f 7925->7930 7926->7921 7933 6bf640be-6bf640c9 7926->7933 7931 6bf6405a-6bf64063 7927->7931 7928->7929 7932 6bf64090 7928->7932 7934 6bf63f64-6bf63f67 7929->7934 7930->7915 7936 6bf640f5-6bf6413f 7931->7936 7937 6bf64069-6bf6406c 7931->7937 7932->7893 7933->7925 7938 6bf640cb-6bf640d4 7933->7938 7935 6bf63f69 7934->7935 7935->7930 7936->7935 7940 6bf64144-6bf6414b 7937->7940 7941 6bf64072-6bf64077 7937->7941 7942 6bf640d6-6bf640f0 7938->7942 7943 6bf640a7 7938->7943 7940->7930 7941->7934 7942->7931 7943->7925
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a830a95eeef8dccd19675f54840c2c0c95f9b245beed44c7997f0b654f0018aa
                                        • Instruction ID: 397b0fb40fa14c584beae913c73e0e5583bc70905d7c5706c7628d2386dafcf3
                                        • Opcode Fuzzy Hash: a830a95eeef8dccd19675f54840c2c0c95f9b245beed44c7997f0b654f0018aa
                                        • Instruction Fuzzy Hash: 4732C233644B018FC334CF2CC890695B7E3EF91354B698A6CC4EA5B6A5E779B44ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7969 6bf63a6a-6bf63a85 7970 6bf63a87-6bf63aa7 7969->7970 7971 6bf63aa9-6bf63ab0 7970->7971 7972 6bf63960-6bf63964 7971->7972 7973 6bf63860-6bf6388e 7972->7973 7974 6bf6396a 7972->7974 7983 6bf63894-6bf63896 7973->7983 7984 6bf63970-6bf6397d 7973->7984 7975 6bf63ba1-6bf63bb6 7974->7975 7978 6bf63bc0-6bf63bda call 6c0b1470 call 6c0b1480 7975->7978 7993 6bf63be0-6bf63bfe 7978->7993 7983->7984 7986 6bf6389c-6bf638b9 7983->7986 7988 6bf639f1-6bf639f8 7984->7988 7989 6bf6397f-6bf63989 7984->7989 7992 6bf638c0-6bf638c1 7986->7992 7990 6bf63ab5-6bf63aba 7988->7990 7991 6bf639fe-6bf63a03 7988->7991 7989->7986 7994 6bf6398f-6bf63994 7989->7994 7990->7986 7998 6bf63ac0-6bf63ac7 7990->7998 7995 6bf638d2-6bf638d4 7991->7995 7996 6bf63a09-6bf63a2f 7991->7996 7997 6bf6395e 7992->7997 8012 6bf63c04-6bf63c11 7993->8012 8013 6bf63e7b 7993->8013 8000 6bf63b16-6bf63b18 7994->8000 8001 6bf6399a-6bf6399f 7994->8001 8004 6bf63957-6bf6395c 7995->8004 8002 6bf63a35-6bf63a3a 7996->8002 8003 6bf638f8-6bf63955 7996->8003 7997->7972 7998->7992 8005 6bf63acd-6bf63ad6 7998->8005 8000->7992 8007 6bf639a5-6bf639bf 8001->8007 8008 6bf6383b-6bf63855 call 6c0b1470 call 6c0b1480 8001->8008 8009 6bf63a40-6bf63a57 8002->8009 8010 6bf63b1d-6bf63b22 8002->8010 8003->8004 8004->7997 8005->8000 8011 6bf63ad8-6bf63aeb 8005->8011 8015 6bf63a5a-6bf63a5d 8007->8015 8008->7973 8009->8015 8021 6bf63b24-6bf63b44 8010->8021 8022 6bf63b49-6bf63b50 8010->8022 8011->8003 8016 6bf63af1-6bf63af8 8011->8016 8017 6bf63c17-6bf63c20 8012->8017 8018 6bf63ce0-6bf63cea 8012->8018 8019 6bf63e81-6bf63ee0 call 6bf63750 GetCurrentThread NtSetInformationThread 8013->8019 8015->7970 8015->7971 8027 6bf63b62-6bf63b85 8016->8027 8028 6bf63afa-6bf63aff 8016->8028 8029 6bf63c26-6bf63c2d 8017->8029 8030 6bf63dc5 8017->8030 8025 6bf63cec-6bf63d0c 8018->8025 8026 6bf63d3a-6bf63d3c 8018->8026 8042 6bf63eea-6bf63f04 call 6c0b1470 call 6c0b1480 8019->8042 8021->7970 8022->7992 8023 6bf63b56-6bf63b5d 8022->8023 8023->7972 8035 6bf63d90-6bf63d95 8025->8035 8036 6bf63d70-6bf63d8d 8026->8036 8037 6bf63d3e-6bf63d45 8026->8037 8027->8003 8033 6bf63b8b 8027->8033 8028->8004 8038 6bf63dc3 8029->8038 8039 6bf63c33-6bf63c3a 8029->8039 8032 6bf63dc6 8030->8032 8041 6bf63dc8-6bf63dcc 8032->8041 8033->7975 8044 6bf63d97-6bf63db8 8035->8044 8045 6bf63dba-6bf63dc1 8035->8045 8036->8035 8043 6bf63d50-6bf63d57 8037->8043 8038->8030 8046 6bf63e26-6bf63e2b 8039->8046 8047 6bf63c40-6bf63c5b 8039->8047 8041->7993 8053 6bf63dd2 8041->8053 8064 6bf63f75-6bf63fa1 8042->8064 8043->8032 8044->8030 8045->8038 8051 6bf63dd7-6bf63ddc 8045->8051 8048 6bf63e31 8046->8048 8049 6bf63c7b-6bf63cd0 8046->8049 8052 6bf63e1b-6bf63e24 8047->8052 8048->7978 8049->8043 8055 6bf63e36-6bf63e3d 8051->8055 8056 6bf63dde-6bf63e17 8051->8056 8052->8041 8054 6bf63e76-6bf63e79 8053->8054 8054->8019 8059 6bf63e3f-6bf63e5a 8055->8059 8060 6bf63e5c-6bf63e5f 8055->8060 8056->8052 8059->8052 8060->8049 8062 6bf63e65-6bf63e69 8060->8062 8062->8041 8062->8054 8068 6bf63fa3-6bf63fa8 8064->8068 8069 6bf64020-6bf64026 8064->8069 8070 6bf63fae-6bf63fcf 8068->8070 8071 6bf6407c-6bf64081 8068->8071 8072 6bf63f06-6bf63f35 8069->8072 8073 6bf6402c-6bf6403c 8069->8073 8074 6bf640aa-6bf640ae 8070->8074 8071->8074 8077 6bf64083-6bf6408a 8071->8077 8078 6bf63f38-6bf63f61 8072->8078 8075 6bf640b3-6bf640b8 8073->8075 8076 6bf6403e-6bf64058 8073->8076 8079 6bf63f6b-6bf63f6f 8074->8079 8075->8070 8082 6bf640be-6bf640c9 8075->8082 8080 6bf6405a-6bf64063 8076->8080 8077->8078 8081 6bf64090 8077->8081 8083 6bf63f64-6bf63f67 8078->8083 8079->8064 8085 6bf640f5-6bf6413f 8080->8085 8086 6bf64069-6bf6406c 8080->8086 8081->8042 8082->8074 8087 6bf640cb-6bf640d4 8082->8087 8084 6bf63f69 8083->8084 8084->8079 8085->8084 8089 6bf64144-6bf6414b 8086->8089 8090 6bf64072-6bf64077 8086->8090 8091 6bf640d6-6bf640f0 8087->8091 8092 6bf640a7 8087->8092 8089->8079 8090->8083 8091->8080 8092->8074
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 724771d783f9fdd8b771475c1c398dc97271cda9abb1ec4810864e72ea1a5674
                                        • Instruction ID: b23bba7fb948d7672a917396dbdb2e964b01d1aea94e7e5a89377261a9fa6d43
                                        • Opcode Fuzzy Hash: 724771d783f9fdd8b771475c1c398dc97271cda9abb1ec4810864e72ea1a5674
                                        • Instruction Fuzzy Hash: C251CF33504B018FC330CF28C8907C5B7E3AF96394F698A5DC4E65B6A5EB79B44A8B51
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 5c7700d5ef22f6ee42c233f648a40f92200ada3628005ea415bb379e256ac87b
                                        • Instruction ID: 83d2f1e58ec1c69f9faa6d9604dde1c9e0eeac80d33f1a8a874e731f528334bc
                                        • Opcode Fuzzy Hash: 5c7700d5ef22f6ee42c233f648a40f92200ada3628005ea415bb379e256ac87b
                                        • Instruction Fuzzy Hash: 8751EF33504B118BC330CF2CC480796B7E3BF96394F658A5DC4E65B2A5EB79B44A8B90
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF63E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF63EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: f8790f7ea3299cc2a3312d6b87c70f2a11cd5d83f9baa5b7290c0a25e1095dbd
                                        • Instruction ID: 73a9f54807c66468c201867637b2c409c3ffc02e1eb8812dde8e055f99e2436b
                                        • Opcode Fuzzy Hash: f8790f7ea3299cc2a3312d6b87c70f2a11cd5d83f9baa5b7290c0a25e1095dbd
                                        • Instruction Fuzzy Hash: DF310333505B01CBC334CF68C8947C6B7B3AF96394F154A1DC4A65B2A1EB7974099B51
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF63E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF63EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: e9673f8a647e3e66583cb2986ebbab86b3eaacd839770fd6485c2540047d49bf
                                        • Instruction ID: 2ff6d17488e892f975bee018cc38a81d595fef00aa88321efb2145b11515b594
                                        • Opcode Fuzzy Hash: e9673f8a647e3e66583cb2986ebbab86b3eaacd839770fd6485c2540047d49bf
                                        • Instruction Fuzzy Hash: 16310F33108B01CBC334CF68C490796B7B2AF96384F254A5CC8EA5B2A5EB79B449CB51
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6C0E5130
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: ManagerOpen
                                        • String ID:
                                        • API String ID: 1889721586-0
                                        • Opcode ID: 46ef727174445819a910cf272328a3f5fd84027f7fb08324a8d4c3cde7bd2a60
                                        • Instruction ID: 4a3bb2a54f54521c5fa55bae961b66f32fdbf06d15ab218a166edadaa8b8b53d
                                        • Opcode Fuzzy Hash: 46ef727174445819a910cf272328a3f5fd84027f7fb08324a8d4c3cde7bd2a60
                                        • Instruction Fuzzy Hash: C231F7B8648341EFC7108F69C584B0EBBF0AB8DB54F548D9EF998C6361C371C9499B62
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BF63E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF63EAA
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 4c6abee1557774670f53df09bab836b698ed52b2972dbb96aa2cf7f583aea113
                                        • Instruction ID: 52fcbcb86e3c17d5ab7a4008c5c1443989ad810d2c60899c0c4c762fa3bdd81c
                                        • Opcode Fuzzy Hash: 4c6abee1557774670f53df09bab836b698ed52b2972dbb96aa2cf7f583aea113
                                        • Instruction Fuzzy Hash: 4321F473518701CBD338CF68C8A0796B7B6AF56384F144A1DC8A69B2A0FB79B4089B51
                                        APIs
                                        • FindFirstFileA.KERNEL32(?,?), ref: 6C0DAEDC
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: efe23368a0f356d1fe80cc9793f5d00d6388743fa768df8db12b8869203483b7
                                        • Instruction ID: d9666fb2ff58ea546b51ce5e13a681c7424a0bf5bb109ff35759aeac81f94b3f
                                        • Opcode Fuzzy Hash: efe23368a0f356d1fe80cc9793f5d00d6388743fa768df8db12b8869203483b7
                                        • Instruction Fuzzy Hash: DC1136B4508361AFD7108B68D54460EBBE4BF86314F698E99F4A8CB691D330EC848B27
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C0BABA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                        • API String ID: 2738559852-1563143607
                                        • Opcode ID: a2e783b397d56db98fb4d0887fb80cf3f45ed1bfb6c6e02c6c1641704e55ba3c
                                        • Instruction ID: b95ab0fe55830e2d816cf1c8659352956f05c30f316193fb6420e3643e5c107b
                                        • Opcode Fuzzy Hash: a2e783b397d56db98fb4d0887fb80cf3f45ed1bfb6c6e02c6c1641704e55ba3c
                                        • Instruction Fuzzy Hash: 9462367060D3828FC724CF18C490B5EBBE2ABD9314F648D1EE9A9DB751D736D8858B42

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6824 6c0fcad3-6c0fcae3 6825 6c0fcafd-6c0fcaff 6824->6825 6826 6c0fcae5-6c0fcaf8 call 6c0ef9df call 6c0ef9cc 6824->6826 6827 6c0fcb05-6c0fcb0b 6825->6827 6828 6c0fce64-6c0fce71 call 6c0ef9df call 6c0ef9cc 6825->6828 6844 6c0fce7c 6826->6844 6827->6828 6830 6c0fcb11-6c0fcb37 6827->6830 6845 6c0fce77 call 6c0f0120 6828->6845 6830->6828 6833 6c0fcb3d-6c0fcb46 6830->6833 6837 6c0fcb48-6c0fcb5b call 6c0ef9df call 6c0ef9cc 6833->6837 6838 6c0fcb60-6c0fcb62 6833->6838 6837->6845 6842 6c0fcb68-6c0fcb6b 6838->6842 6843 6c0fce60-6c0fce62 6838->6843 6842->6843 6848 6c0fcb71-6c0fcb75 6842->6848 6847 6c0fce7f-6c0fce82 6843->6847 6844->6847 6845->6844 6848->6837 6851 6c0fcb77-6c0fcb8e 6848->6851 6853 6c0fcbdf-6c0fcbe5 6851->6853 6854 6c0fcb90-6c0fcb93 6851->6854 6855 6c0fcbab-6c0fcbc2 call 6c0ef9df call 6c0ef9cc call 6c0f0120 6853->6855 6856 6c0fcbe7-6c0fcbf1 6853->6856 6857 6c0fcb95-6c0fcb9e 6854->6857 6858 6c0fcba3-6c0fcba9 6854->6858 6889 6c0fcd97 6855->6889 6860 6c0fcbf8-6c0fcc16 call 6c0f47f5 call 6c0f47bb * 2 6856->6860 6861 6c0fcbf3-6c0fcbf5 6856->6861 6862 6c0fcc63-6c0fcc73 6857->6862 6858->6855 6863 6c0fcbc7-6c0fcbda 6858->6863 6893 6c0fcc18-6c0fcc2e call 6c0ef9cc call 6c0ef9df 6860->6893 6894 6c0fcc33-6c0fcc5c call 6c0fac69 6860->6894 6861->6860 6865 6c0fcc79-6c0fcc85 6862->6865 6866 6c0fcd38-6c0fcd41 call 6c1019e5 6862->6866 6863->6862 6865->6866 6870 6c0fcc8b-6c0fcc8d 6865->6870 6877 6c0fcdb4 6866->6877 6878 6c0fcd43-6c0fcd55 6866->6878 6870->6866 6874 6c0fcc93-6c0fccb7 6870->6874 6874->6866 6879 6c0fccb9-6c0fcccf 6874->6879 6881 6c0fcdb8-6c0fcdd0 ReadFile 6877->6881 6878->6877 6883 6c0fcd57-6c0fcd66 GetConsoleMode 6878->6883 6879->6866 6884 6c0fccd1-6c0fccd3 6879->6884 6887 6c0fce2c-6c0fce37 GetLastError 6881->6887 6888 6c0fcdd2-6c0fcdd8 6881->6888 6883->6877 6890 6c0fcd68-6c0fcd6c 6883->6890 6884->6866 6891 6c0fccd5-6c0fccfb 6884->6891 6895 6c0fce39-6c0fce4b call 6c0ef9cc call 6c0ef9df 6887->6895 6896 6c0fce50-6c0fce53 6887->6896 6888->6887 6897 6c0fcdda 6888->6897 6899 6c0fcd9a-6c0fcda4 call 6c0f47bb 6889->6899 6890->6881 6898 6c0fcd6e-6c0fcd88 ReadConsoleW 6890->6898 6891->6866 6892 6c0fccfd-6c0fcd13 6891->6892 6892->6866 6901 6c0fcd15-6c0fcd17 6892->6901 6893->6889 6894->6862 6895->6889 6908 6c0fce59-6c0fce5b 6896->6908 6909 6c0fcd90-6c0fcd96 call 6c0ef9f2 6896->6909 6905 6c0fcddd-6c0fcdef 6897->6905 6906 6c0fcd8a GetLastError 6898->6906 6907 6c0fcda9-6c0fcdb2 6898->6907 6899->6847 6901->6866 6911 6c0fcd19-6c0fcd33 6901->6911 6905->6899 6915 6c0fcdf1-6c0fcdf5 6905->6915 6906->6909 6907->6905 6908->6899 6909->6889 6911->6866 6919 6c0fce0e-6c0fce19 6915->6919 6920 6c0fcdf7-6c0fce07 call 6c0fcefe 6915->6920 6925 6c0fce1b call 6c0fce83 6919->6925 6926 6c0fce25-6c0fce2a call 6c0fd1b6 6919->6926 6932 6c0fce0a-6c0fce0c 6920->6932 6930 6c0fce20-6c0fce23 6925->6930 6926->6930 6930->6932 6932->6899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: f309ffb9d60c7f59495a5e2ca54b2b27a06ca2b245f408b47c4e3bdfe631fe02
                                        • Instruction ID: 9174be9679e0e62ba980f2f2682582b50b399bf7768b72dceaf43f39510a0fbf
                                        • Opcode Fuzzy Hash: f309ffb9d60c7f59495a5e2ca54b2b27a06ca2b245f408b47c4e3bdfe631fe02
                                        • Instruction Fuzzy Hash: A9C11574E04249AFDF11DF98C881BADBBF4BF4A318F544159EC60ABB81C7719986CB60

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6933 6c10406c-6c10409c call 6c1044ec 6936 6c1040b7-6c1040c3 call 6c10160c 6933->6936 6937 6c10409e-6c1040a9 call 6c0ef9df 6933->6937 6943 6c1040c5-6c1040da call 6c0ef9df call 6c0ef9cc 6936->6943 6944 6c1040dc-6c104125 call 6c104457 6936->6944 6942 6c1040ab-6c1040b2 call 6c0ef9cc 6937->6942 6954 6c104391-6c104395 6942->6954 6943->6942 6952 6c104192-6c10419b GetFileType 6944->6952 6953 6c104127-6c104130 6944->6953 6955 6c1041e4-6c1041e7 6952->6955 6956 6c10419d-6c1041ce GetLastError call 6c0ef9f2 CloseHandle 6952->6956 6958 6c104132-6c104136 6953->6958 6959 6c104167-6c10418d GetLastError call 6c0ef9f2 6953->6959 6961 6c1041f0-6c1041f6 6955->6961 6962 6c1041e9-6c1041ee 6955->6962 6956->6942 6970 6c1041d4-6c1041df call 6c0ef9cc 6956->6970 6958->6959 6963 6c104138-6c104165 call 6c104457 6958->6963 6959->6942 6966 6c1041fa-6c104248 call 6c1017b0 6961->6966 6967 6c1041f8 6961->6967 6962->6966 6963->6952 6963->6959 6976 6c104267-6c10428f call 6c104710 6966->6976 6977 6c10424a-6c104256 call 6c104666 6966->6977 6967->6966 6970->6942 6983 6c104291-6c104292 6976->6983 6984 6c104294-6c1042d5 6976->6984 6977->6976 6982 6c104258 6977->6982 6985 6c10425a-6c104262 call 6c0fb925 6982->6985 6983->6985 6986 6c1042f6-6c104304 6984->6986 6987 6c1042d7-6c1042db 6984->6987 6985->6954 6990 6c10430a-6c10430e 6986->6990 6991 6c10438f 6986->6991 6987->6986 6989 6c1042dd-6c1042f1 6987->6989 6989->6986 6990->6991 6993 6c104310-6c104343 CloseHandle call 6c104457 6990->6993 6991->6954 6996 6c104345-6c104371 GetLastError call 6c0ef9f2 call 6c10171f 6993->6996 6997 6c104377-6c10438b 6993->6997 6996->6997 6997->6991
                                        APIs
                                          • Part of subcall function 6C104457: CreateFileW.KERNEL32(00000000,00000000,?,6C104115,?,?,00000000,?,6C104115,00000000,0000000C), ref: 6C104474
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C104180
                                        • __dosmaperr.LIBCMT ref: 6C104187
                                        • GetFileType.KERNEL32(00000000), ref: 6C104193
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C10419D
                                        • __dosmaperr.LIBCMT ref: 6C1041A6
                                        • CloseHandle.KERNEL32(00000000), ref: 6C1041C6
                                        • CloseHandle.KERNEL32(6C0FB0D0), ref: 6C104313
                                        • GetLastError.KERNEL32 ref: 6C104345
                                        • __dosmaperr.LIBCMT ref: 6C10434C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: 8Q
                                        • API String ID: 4237864984-4022487301
                                        • Opcode ID: decac125691065f5ce790ebd4e092733c170f1f95a3e91a2432fb5cfc5f8ba57
                                        • Instruction ID: 454b6e2406d200d9e10fec2895b7ce162031a1b2c3206a786de1e71824a860d4
                                        • Opcode Fuzzy Hash: decac125691065f5ce790ebd4e092733c170f1f95a3e91a2432fb5cfc5f8ba57
                                        • Instruction Fuzzy Hash: 14A15532B041449FCF09CF68D881BAE7BB1AB1B328F18425DE811EF781CB359816CB51

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7002 6c0bc1e0-6c0bc239 call 6c0e6b70 7005 6c0bc260-6c0bc269 7002->7005 7006 6c0bc26b-6c0bc270 7005->7006 7007 6c0bc2b0-6c0bc2b5 7005->7007 7008 6c0bc272-6c0bc277 7006->7008 7009 6c0bc2f0-6c0bc2f5 7006->7009 7010 6c0bc330-6c0bc335 7007->7010 7011 6c0bc2b7-6c0bc2bc 7007->7011 7014 6c0bc27d-6c0bc282 7008->7014 7015 6c0bc372-6c0bc3df WriteFile 7008->7015 7018 6c0bc2fb-6c0bc300 7009->7018 7019 6c0bc431-6c0bc448 WriteFile 7009->7019 7012 6c0bc33b-6c0bc340 7010->7012 7013 6c0bc489-6c0bc4b9 call 6c0eb3a0 7010->7013 7016 6c0bc2c2-6c0bc2c7 7011->7016 7017 6c0bc407-6c0bc41b 7011->7017 7020 6c0bc4be-6c0bc4c3 7012->7020 7021 6c0bc346-6c0bc36d 7012->7021 7013->7005 7022 6c0bc3e9-6c0bc3fd WriteFile 7014->7022 7023 6c0bc288-6c0bc28d 7014->7023 7015->7022 7025 6c0bc23b-6c0bc250 7016->7025 7026 6c0bc2cd-6c0bc2d2 7016->7026 7024 6c0bc41f-6c0bc42c 7017->7024 7027 6c0bc452-6c0bc47f call 6c0eb920 ReadFile 7018->7027 7028 6c0bc306-6c0bc30b 7018->7028 7019->7027 7020->7005 7031 6c0bc4c9-6c0bc4d7 7020->7031 7032 6c0bc253-6c0bc258 7021->7032 7022->7017 7023->7005 7033 6c0bc28f-6c0bc2aa 7023->7033 7024->7005 7025->7032 7026->7005 7034 6c0bc2d4-6c0bc2e7 7026->7034 7027->7013 7028->7005 7036 6c0bc311-6c0bc32b 7028->7036 7032->7005 7033->7032 7034->7032 7036->7024
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :uW$;uW$;uW$> 4!$> 4!
                                        • API String ID: 0-4100612575
                                        • Opcode ID: 800aef08bc8a2bf7a322fca8827d8299a1652c4778ad326ced2abb753351d87d
                                        • Instruction ID: 74788b6c075aad31a77419ac6c18df839ed1f5c5358ccc89113f65d6e740c5a9
                                        • Opcode Fuzzy Hash: 800aef08bc8a2bf7a322fca8827d8299a1652c4778ad326ced2abb753351d87d
                                        • Instruction Fuzzy Hash: 04718EB0208345AFD710DF94C880B5ABBF4FF8A708F50492EF598E7651D772D9889B92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K?Jo$K?Jo$`Rlx$7eO
                                        • API String ID: 0-174837320
                                        • Opcode ID: 2ea5e934abd4af9b8eb8c1d4d8a404c7485fe463a2b9617de0ffbbdd08c7a039
                                        • Instruction ID: 75f7b917ff2d40ba46b9f7daea739aabbdacb63d8cd7f09e4b846b31c8baf7ad
                                        • Opcode Fuzzy Hash: 2ea5e934abd4af9b8eb8c1d4d8a404c7485fe463a2b9617de0ffbbdd08c7a039
                                        • Instruction Fuzzy Hash: 334244B46493428FC754CF28C0D0B1EBBE1AFC9314F248D1EE5A5ABB20D636E945CB52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;T55
                                        • API String ID: 0-2572755013
                                        • Opcode ID: 433840659153c55a8fabb11b895772df02ee23a7b1e8f3bf90156026dc7bde25
                                        • Instruction ID: 85bfce0becdc327f6e675b51b44f4bcce879b7e451b16aa883a3d1160341043f
                                        • Opcode Fuzzy Hash: 433840659153c55a8fabb11b895772df02ee23a7b1e8f3bf90156026dc7bde25
                                        • Instruction Fuzzy Hash: A8030832644B418FC738CF28C8D0695B7F3AFD53247598ABEC4A64B6A5D778B44ACB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7579 6c0e4ff0-6c0e5077 CreateProcessA 7580 6c0e50ca-6c0e50d3 7579->7580 7581 6c0e50d5-6c0e50da 7580->7581 7582 6c0e50f0-6c0e510b 7580->7582 7583 6c0e50dc-6c0e50e1 7581->7583 7584 6c0e5080-6c0e50c2 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c0e50e3-6c0e5118 7583->7585 7584->7580
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: D
                                        • API String ID: 963392458-2746444292
                                        • Opcode ID: 446f90d6b496dadc14d855c8cbbe883171761a4758db45ad368184350c5a5d7f
                                        • Instruction ID: 8c78bcb3abb1ac1c7eebb0a42f2b9f0f56fe8861a1a273f11086fc99f4410ba0
                                        • Opcode Fuzzy Hash: 446f90d6b496dadc14d855c8cbbe883171761a4758db45ad368184350c5a5d7f
                                        • Instruction Fuzzy Hash: 7531E1709093808FD740DF69D19872EBBF0AB9A318F405E1DF89996250E7759588CF43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7587 6c0fbc5e-6c0fbc7a 7588 6c0fbe39 7587->7588 7589 6c0fbc80-6c0fbc82 7587->7589 7590 6c0fbe3b-6c0fbe3f 7588->7590 7591 6c0fbca4-6c0fbcc5 7589->7591 7592 6c0fbc84-6c0fbc97 call 6c0ef9df call 6c0ef9cc call 6c0f0120 7589->7592 7593 6c0fbccc-6c0fbcd2 7591->7593 7594 6c0fbcc7-6c0fbcca 7591->7594 7607 6c0fbc9c-6c0fbc9f 7592->7607 7593->7592 7596 6c0fbcd4-6c0fbcd9 7593->7596 7594->7593 7594->7596 7598 6c0fbcdb-6c0fbce7 call 6c0fac69 7596->7598 7599 6c0fbcea-6c0fbcfb call 6c0fbe40 7596->7599 7598->7599 7608 6c0fbcfd-6c0fbcff 7599->7608 7609 6c0fbd3c-6c0fbd4e 7599->7609 7607->7590 7612 6c0fbd26-6c0fbd32 call 6c0fbeb1 7608->7612 7613 6c0fbd01-6c0fbd09 7608->7613 7610 6c0fbd95-6c0fbdb7 WriteFile 7609->7610 7611 6c0fbd50-6c0fbd59 7609->7611 7614 6c0fbdb9-6c0fbdbf GetLastError 7610->7614 7615 6c0fbdc2 7610->7615 7617 6c0fbd5b-6c0fbd5e 7611->7617 7618 6c0fbd85-6c0fbd93 call 6c0fc2c3 7611->7618 7623 6c0fbd37-6c0fbd3a 7612->7623 7619 6c0fbd0f-6c0fbd1c call 6c0fc25b 7613->7619 7620 6c0fbdcb-6c0fbdce 7613->7620 7614->7615 7624 6c0fbdc5-6c0fbdca 7615->7624 7626 6c0fbd75-6c0fbd83 call 6c0fc487 7617->7626 7627 6c0fbd60-6c0fbd63 7617->7627 7618->7623 7630 6c0fbd1f-6c0fbd21 7619->7630 7625 6c0fbdd1-6c0fbdd6 7620->7625 7623->7630 7624->7620 7631 6c0fbdd8-6c0fbddd 7625->7631 7632 6c0fbe34-6c0fbe37 7625->7632 7626->7623 7627->7625 7633 6c0fbd65-6c0fbd73 call 6c0fc39e 7627->7633 7630->7624 7635 6c0fbddf-6c0fbde4 7631->7635 7636 6c0fbe09-6c0fbe15 7631->7636 7632->7590 7633->7623 7641 6c0fbdfd-6c0fbe04 call 6c0ef9f2 7635->7641 7642 6c0fbde6-6c0fbdf8 call 6c0ef9cc call 6c0ef9df 7635->7642 7639 6c0fbe1c-6c0fbe2f call 6c0ef9cc call 6c0ef9df 7636->7639 7640 6c0fbe17-6c0fbe1a 7636->7640 7639->7607 7640->7588 7640->7639 7641->7607 7642->7607
                                        APIs
                                          • Part of subcall function 6C0FBEB1: GetConsoleCP.KERNEL32(?,6C0FB0D0,?), ref: 6C0FBEF9
                                        • WriteFile.KERNEL32(?,?,6C1046EC,00000000,00000000,?,00000000,00000000,6C105AB6,00000000,00000000,?,00000000,6C0FB0D0,6C1046EC,00000000), ref: 6C0FBDAF
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1046EC,6C0FB0D0,00000000,?,?,?,?,00000000,?), ref: 6C0FBDB9
                                        • __dosmaperr.LIBCMT ref: 6C0FBDFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 251514795-4022487301
                                        • Opcode ID: 57ddbc01f69cb65337728d4f1b0775c3a2fb30be3a31f66aad7cf5d90e8b787d
                                        • Instruction ID: 0c3aa8d36ab45bc1f57daae54099e88ebb70a1aeb218b692e3712b50ce972e90
                                        • Opcode Fuzzy Hash: 57ddbc01f69cb65337728d4f1b0775c3a2fb30be3a31f66aad7cf5d90e8b787d
                                        • Instruction Fuzzy Hash: 1651C575A0020AAFDF01DFA8C840BEEBBF9EF09358F540451D920A7A51D770A986CBA1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7654 6c0e5b90-6c0e5b9c 7655 6c0e5b9e-6c0e5ba9 7654->7655 7656 6c0e5bdd 7654->7656 7657 6c0e5bbf-6c0e5bcc call 6bfb01f0 call 6c0f0b18 7655->7657 7658 6c0e5bab-6c0e5bbd 7655->7658 7659 6c0e5bdf-6c0e5c57 7656->7659 7667 6c0e5bd1-6c0e5bdb 7657->7667 7658->7657 7661 6c0e5c59-6c0e5c81 7659->7661 7662 6c0e5c83-6c0e5c89 7659->7662 7661->7662 7664 6c0e5c8a-6c0e5d49 call 6bfb2250 call 6bfb2340 call 6c0e9379 call 6bfae010 call 6c0e7088 7661->7664 7667->7659
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0E5D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 323602529-1866435925
                                        • Opcode ID: 6fb7151a739131c7b63ce4dbd4291e0461057d44956b13631c630fa4d4e155ee
                                        • Instruction ID: 6ad6446b1369089eaf9798f5f5f48f7f312ffc31272b7c5bc4af5d07b38e27e7
                                        • Opcode Fuzzy Hash: 6fb7151a739131c7b63ce4dbd4291e0461057d44956b13631c630fa4d4e155ee
                                        • Instruction Fuzzy Hash: 935134B5A00B008FD725CF29C491B97BBF1BB48318F008A2DD8864BB90D779B909CF90

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7699 6c0fb925-6c0fb939 call 6c1015a2 7702 6c0fb93f-6c0fb947 7699->7702 7703 6c0fb93b-6c0fb93d 7699->7703 7705 6c0fb949-6c0fb950 7702->7705 7706 6c0fb952-6c0fb955 7702->7706 7704 6c0fb98d-6c0fb9ad call 6c10171f 7703->7704 7714 6c0fb9af-6c0fb9b9 call 6c0ef9f2 7704->7714 7715 6c0fb9bb 7704->7715 7705->7706 7707 6c0fb95d-6c0fb971 call 6c1015a2 * 2 7705->7707 7708 6c0fb957-6c0fb95b 7706->7708 7709 6c0fb973-6c0fb983 call 6c1015a2 CloseHandle 7706->7709 7707->7703 7707->7709 7708->7707 7708->7709 7709->7703 7721 6c0fb985-6c0fb98b GetLastError 7709->7721 7719 6c0fb9bd-6c0fb9c0 7714->7719 7715->7719 7721->7704
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6C10425F), ref: 6C0FB97B
                                        • GetLastError.KERNEL32(?,00000000,?,6C10425F), ref: 6C0FB985
                                        • __dosmaperr.LIBCMT ref: 6C0FB9B0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: c82b98d0a7ebe33298f06222eeb0da5b5c0629fbf8519e31e6540d8c85c37629
                                        • Instruction ID: a6aea5f23c308548edaa2f39c9d5a95ae4417e7a7a41fb6b7a0f542a408ae6f2
                                        • Opcode Fuzzy Hash: c82b98d0a7ebe33298f06222eeb0da5b5c0629fbf8519e31e6540d8c85c37629
                                        • Instruction Fuzzy Hash: 53012633B4D2205AC201167AA8457AD37E94FC3B3CF794359EC368BAC0DF64C9CA8690

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7944 6c0f0b9c-6c0f0ba7 7945 6c0f0bbe-6c0f0bcb 7944->7945 7946 6c0f0ba9-6c0f0bbc call 6c0ef9cc call 6c0f0120 7944->7946 7948 6c0f0bcd-6c0f0be2 call 6c0f0cb9 call 6c0f873e call 6c0f9c60 call 6c0fb898 7945->7948 7949 6c0f0c06-6c0f0c0f call 6c0fae75 7945->7949 7957 6c0f0c10-6c0f0c12 7946->7957 7963 6c0f0be7-6c0f0bec 7948->7963 7949->7957 7964 6c0f0bee-6c0f0bf1 7963->7964 7965 6c0f0bf3-6c0f0bf7 7963->7965 7964->7949 7965->7949 7966 6c0f0bf9-6c0f0c05 call 6c0f47bb 7965->7966 7966->7949
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction ID: 2b076be9c5f5f8e7ce8c65bf3f74e6857a4e04079d6a7d70636cabc6964bf89e
                                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction Fuzzy Hash: FFF0FF72509654AAC6211B6A8D00BDB32E89F8237CF200715ECB497ED0DB70E4CBCBE1
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0E5AB4
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0E5AF4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID:
                                        • API String ID: 323602529-0
                                        • Opcode ID: 683d13c72958f99dc242e9d08b1a562a9e3f9bfe8b499753a77c2f6772dcaf03
                                        • Instruction ID: 4378640c1700bbc7fa89cbdfc3fb67bb67ee2fe2ad255f1b5444d9a1a79f32d9
                                        • Opcode Fuzzy Hash: 683d13c72958f99dc242e9d08b1a562a9e3f9bfe8b499753a77c2f6772dcaf03
                                        • Instruction Fuzzy Hash: 05514775241B01DFE725CF24C495BD7BBF4BB08718F448A1CD4AA4B6A1DB30B548CB81
                                        APIs
                                        • GetLastError.KERNEL32(6C116DD8,0000000C), ref: 6C0EEF52
                                        • ExitThread.KERNEL32 ref: 6C0EEF59
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: ErrorExitLastThread
                                        • String ID:
                                        • API String ID: 1611280651-0
                                        • Opcode ID: fa03ae07e570f8b89196043642a1d0acef5921d97364c14c06d1411bbcbb7585
                                        • Instruction ID: 1dd03f700753e27900745a856c6f35e8404eb5ca0c6079f9de8e8de7ab06e671
                                        • Opcode Fuzzy Hash: fa03ae07e570f8b89196043642a1d0acef5921d97364c14c06d1411bbcbb7585
                                        • Instruction Fuzzy Hash: C3F0AFB1A44608AFDF049BB0C409BAE3BF4FF45618F244649E42597B50CB35A946DBA1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: c17343b873426b684160fab6ea25a20078f631946da6ad4488efdfaede22ad38
                                        • Instruction ID: 9e77bbc8322dd280459836e53b79d48e49908c9455df8df3df3ef42b0c64a292
                                        • Opcode Fuzzy Hash: c17343b873426b684160fab6ea25a20078f631946da6ad4488efdfaede22ad38
                                        • Instruction Fuzzy Hash: EC116A71A0420EAFCB05CF59E945A9B3BF9EF48304F004059F814AB301D631E912CBA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction ID: 0d119e2b24768ae329f70c35bf88e6f7cdfc859f40b5e453494de5cef9fab3f1
                                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction Fuzzy Hash: D8017872D01159BFCF029FE88D00AEE7FF9AB18204F104165AD24E22A0EB318A65DB80
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000000,?,6C104115,?,?,00000000,?,6C104115,00000000,0000000C), ref: 6C104474
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 2a1e0759629a75718e144eb4eeaa1f404c4ba6bd229b2e84511fd23b921d08f2
                                        • Instruction ID: e02e69d3c207278261b630c9175445e261727bff7a510119220094540f23b491
                                        • Opcode Fuzzy Hash: 2a1e0759629a75718e144eb4eeaa1f404c4ba6bd229b2e84511fd23b921d08f2
                                        • Instruction Fuzzy Hash: 57D06C3210010DBBDF128E84DD06EDA3BAAFB88714F014000BA1866020C736E961AB94
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2320496849.000000006BF61000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF60000, based on PE: true
                                        • Associated: 00000007.00000002.2320473336.000000006BF60000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321813400.000000006C108000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2324003674.000000006C2D2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction ID: b79ac6504362f8d8924a5bee2b841d1268d1375d5f8840c93b97c41cec97ce7f
                                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1784B1
                                          • Part of subcall function 6C17993B: __EH_prolog.LIBCMT ref: 6C179940
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 1$`)K$h)K
                                        • API String ID: 3519838083-3935664338
                                        • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                        • Instruction ID: 264fcf1786df04603f0aeefa8765c750bbfa3e5c3fd9e2093e349e8b18c31f12
                                        • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                                        • Instruction Fuzzy Hash: BEF29E70D04248DFDB21CFA8C898BDDBBB5AF59308F24409AE459AB741C7359E89CF60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C16AEF4
                                          • Part of subcall function 6C16E622: __EH_prolog.LIBCMT ref: 6C16E627
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $h%K
                                        • API String ID: 3519838083-1737110039
                                        • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                        • Instruction ID: 2ab3c47c6fa67615af80da13633f2605cd39a9dde99d842a17fe9379f4a4ff8b
                                        • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                                        • Instruction Fuzzy Hash: F153A830901258DFDF15DBA5C894BEDBBB4AF19308F2480D8E449A7B91CB34AE99CF51
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $J
                                        • API String ID: 3519838083-1755042146
                                        • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                        • Instruction ID: c68b6676e2392276bef9b58ff22eb6434c0658d9ee242a8f2c1628265da1a323
                                        • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                                        • Instruction Fuzzy Hash: E4E2FF70905249DFEF21DFA8C498BDDBBB0AF15308F248099E855AB781CB74DA45CB71
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C146CE5
                                          • Part of subcall function 6C11CC2A: __EH_prolog.LIBCMT ref: 6C11CC2F
                                          • Part of subcall function 6C11E6A6: __EH_prolog.LIBCMT ref: 6C11E6AB
                                          • Part of subcall function 6C146A0E: __EH_prolog.LIBCMT ref: 6C146A13
                                          • Part of subcall function 6C146837: __EH_prolog.LIBCMT ref: 6C14683C
                                          • Part of subcall function 6C14A143: __EH_prolog.LIBCMT ref: 6C14A148
                                          • Part of subcall function 6C14A143: ctype.LIBCPMT ref: 6C14A16C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog$ctype
                                        • String ID:
                                        • API String ID: 1039218491-3916222277
                                        • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                        • Instruction ID: 028053866338436f633457286c537d593a59b4bba913c63128937431d5e4d063
                                        • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                                        • Instruction Fuzzy Hash: B603BD30805299DFDF11CFA4C950BDCBBB1AF15318F2480AAD44967A91DB389B89DFA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3J$`/J$`1J$p0J
                                        • API String ID: 0-2826663437
                                        • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                        • Instruction ID: acc078cd3310a26e313a785c0874a8f09344f45367a48f927e463cb3a894840f
                                        • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                                        • Instruction Fuzzy Hash: 6B41F772F10A200AB3488F7A8C856667FC3C7CA346B4AC23DD565C66D9DABDC40786A4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: W
                                        • API String ID: 3519838083-655174618
                                        • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                        • Instruction ID: 66b2180311b9dad2b718711668905bed018640bf23250d901443ab8415f4d2fa
                                        • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                                        • Instruction Fuzzy Hash: 24B27874A05359DFDB20CFA8C998B9EBBB4AF19308F244099E849EB741C775ED41CB60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C16489B
                                          • Part of subcall function 6C165FC9: __EH_prolog.LIBCMT ref: 6C165FCE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @ K
                                        • API String ID: 3519838083-4216449128
                                        • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                        • Instruction ID: 4aef824427c600641e1fdfb784e7fe86fcb5efbb392f01fff31efd182fc77752
                                        • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                                        • Instruction Fuzzy Hash: 72D1EF31D002049FDB14CFAAC4A0BDEB7B6FF94318F15816AE416ABF84CB7498A5CB54
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: x=J
                                        • API String ID: 3519838083-1497497802
                                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction ID: 2e509c27edf108405147e159825f9bf7ee860e5acb6f47f61c17b61e531af711
                                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction Fuzzy Hash: 04911631D091099FDF04DFA4D8A0AEDB7B5BF16318F24807AD46167E50DB3E9989CB50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                        • Instruction ID: 994a1e8fecf57a018aa531ad7b0b7b4fb9a401d58be0024f93b7d81c7ac8a8e3
                                        • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                                        • Instruction Fuzzy Hash: A0B2DC30A0A758CFDB22CF68C494BDEBBF1BF15308F548599D49AA7A81D730A985CF50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @4J$DsL
                                        • API String ID: 0-2004129199
                                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction ID: bc5602b5241564b655c8c07ff07b15adb4c672f63d888b7d913abf12fa356af4
                                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction Fuzzy Hash: 0F2171376A4D564BD74CCA68DC33EB92681E744305B89527EE94BCB7D1DF6D8800CA48
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                        • Instruction ID: 498f54e588ed31a86b5c675b6d50fc2d88499095c44603ae81cec28ecea9b5d6
                                        • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                                        • Instruction Fuzzy Hash: 7CF17A70904249DFDB04CFA9C590BEDBBB1BF15308F1480AED419ABB52D774AA68CF90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                        • Instruction ID: 93922bbc79973daa79f70702c464ef32bcb91a75b2f36ba210d3fa9716584588
                                        • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                                        • Instruction Fuzzy Hash: BB3249B1A083058FC318CF56C48495AF7E2BFCC314F468A6DE98997355DB74AA09CF86
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                        • Instruction ID: 7b25c8a24dc1f566328d0468635d0f8eb6a0f135ea070681d9d31feed64b845c
                                        • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                                        • Instruction Fuzzy Hash: 151207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A2EE898A7311D770E9568BC6
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __aullrem
                                        • String ID:
                                        • API String ID: 3758378126-0
                                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction ID: 597283a6273c72dffbd17d6e1a6f44a06c7be71129b562572ec9b289b1732dcf
                                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction Fuzzy Hash: 1151EB72A053859BD710CF5AC4C06EDFBF6EF7A214F18C05EE8C897242D27A599AC760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction ID: 511ed69f3037817c677f9bbb7b97aacc61f697dba34c0ad64946ec3040f7332f
                                        • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction Fuzzy Hash: 75028B31A083408BD325CF28C4A079EBBE2FFD9748F188A2DE5C597B51D7759949CB82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                        • Instruction ID: 36b3c809c78cce1aff5a794cb74fa78e8f92bdb75686218544531e3daf2625dc
                                        • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                                        • Instruction Fuzzy Hash: 5CD13E729083148FD758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (SL
                                        • API String ID: 0-669240678
                                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction ID: d53fb67205392917bb0c221bded4e5709435eda143dae2b9c559b474dfbcdd12
                                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction Fuzzy Hash: 39516473E208214AD78CCF24DC2177572D2E784310F8BC1B99D8BAB6E6DD78989587D4
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                        • Instruction ID: 4ce4d35492e5f3b9f2daeaf1c47b1f1f2128847a04e19c10cfdf0c38fb450e51
                                        • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                                        • Instruction Fuzzy Hash: 23726CB16092178FD748CF18C890258FBE1FB89314B5A56ADD95ADB782DB30E895CFC0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction ID: 735f14079230f860194e51c6d1136a4cd4ee2b2f88d63a7ddc4dd1fca258bff8
                                        • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction Fuzzy Hash: 77524F31608B858BD718CF29C5907AAB7E2BF99308F148A2DD5DAC7B41DB74F849CB41
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction ID: 3ac566fcb1f694ca695e2e4856ed946b9373ce6fcaa828abdc6cb9077aae4115
                                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction Fuzzy Hash: 2E6203B9A083448FC718CF99C58061ABBF5BFD8744F148A2EE89987715D770E846CF92
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                        • Instruction ID: 569edc4cc61984040cc021e43ee11b97dc735487e216eb14f2e118456d383b46
                                        • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                                        • Instruction Fuzzy Hash: 67429075604B458FD328CFA9C8907AAB3E2FB84314F044A2EE597C7B94E774E54ACB41
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction ID: a0449509e0d27b3f326cc229464d8880bb6ce2092de0fdde441042e0c1089d07
                                        • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction Fuzzy Hash: 541290712097418FC718CF29C49066AFBE2BFD9344F54892DE9EA87B41D735E846CB82
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                        • Instruction ID: c5ce7e54321f462dc8ed085c71f41a8621c0b899c9743b0430413935d4e2bdc0
                                        • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                                        • Instruction Fuzzy Hash: 9F021777A083604BD718CE5DC890319B7E3BBC0390F6A5A2EE89547794DAB4D94BCB81
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction ID: 6a6cab5588851d05e63988280c01eb512e0cebee32462ce3a1628773c01dcf46
                                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction Fuzzy Hash: B8024836A083118BC319CE6CC490319BBF2FBC4355F195B2EE59697A94DB74D84ACF82
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                        • Instruction ID: 7ee190ea47303bba6853f7e76ddac3714beb2b45a4d4e7355c04ba898bc10f5a
                                        • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                                        • Instruction Fuzzy Hash: B712D030604B518FC328CF2EC4A4626FBF2AF85304F188A6ED1D687BA1D735E559CB91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                        • Instruction ID: a8b89ad8460944854488b983e87c5c52d33c911c40b4f62a4f34fd1b91853aa1
                                        • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                                        • Instruction Fuzzy Hash: AD02A1716087208FC328DF2ED4A022AFBF1AF85301F148A6EE5DA87B91D336E555CB51
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                        • Instruction ID: a842349c91e8aa33b39d29832bd152f8979032819f48e07fdcdc2aa3f625c704
                                        • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                                        • Instruction Fuzzy Hash: 8AE1CE71604B058BE724CF28D8603AAB7E2EFC5314F544A3DC6A6C7B81DB75E50ACB91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                        • Instruction ID: d3f705e695c88377d76d59e3ff2205cb326913f0f9a39e53dab8656dd713734a
                                        • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                                        • Instruction Fuzzy Hash: 44F1B2706087518FC328CF6DD4A0266FBE2AF89304F184A6ED1D6CBA91D339E565CB91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                        • Instruction ID: 1cce0519d21cf2fb9f3a1f8b368f0edb26ac5787e3e961959bf2a79d22b48062
                                        • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                                        • Instruction Fuzzy Hash: 82F1F1745087618FC328DF69C4A026AFBF2BF85304F188A2ED5D686B91D33AE156CB51
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                        • Instruction ID: 9ac12a7fe77903757b1f5c885fc7b2f94952f484b3602cf9ffe81f3f618b25da
                                        • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                                        • Instruction Fuzzy Hash: BAC1E471604B0A8BE368CF29C4906AAB7E2FBD4314F158A2DC1A7C7B45D634F495CBD0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                        • Instruction ID: 345a2fbc1cd0b2c099ca872818f816cc1ff2da50b3465e755a640144bc672daa
                                        • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                                        • Instruction Fuzzy Hash: 5EE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA650B392D734A942DB94
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                        • Instruction ID: 2020c3b8e583a38fe7f42cf270778c710062b05a0a0de34295e9fb61e20c2066
                                        • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                                        • Instruction Fuzzy Hash: D4B18F71A062218FC350CF29C8802457BA2FFD5229775D7ADC4A48FA5AD336E957CBD0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction ID: 3099a04832112552bf4ae149ffe327fad465c1207835acc7460d338318d642ba
                                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction Fuzzy Hash: F0C1D4356047418BC718CF39D0A46A7BBE2EFEA314F148A6DC8CE4BB55DA30A40ECB55
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                        • Instruction ID: ae02a11bad56dc92bf9fec66c4a12cf4a4eb355785a71f87a0b890e25dadafa6
                                        • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                                        • Instruction Fuzzy Hash: 7EB18F76A012408FD380CF29C884254BBA2FF9532CB79969EC5948F646E337E947CBD1
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                        • Instruction ID: 756b8a17f389fa7fb7a0aac45df71bf020021f332877aaf5b59e059cfeedf090
                                        • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                                        • Instruction Fuzzy Hash: 1DD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction ID: f5f7da7f5671a978f33c30d83597c98a6c233094f7568a0e846c025fc12ecea7
                                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction Fuzzy Hash: BAB1F53530AB054BD314DF79C890BEAB7E1AF91708F04452EC5AB87781DF35B6098B95
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                        • Instruction ID: ccd8821c25747e782cbc77879d07fc20717d07e02d61d53a87c23ba87dd5e9fb
                                        • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                                        • Instruction Fuzzy Hash: B76110B27082158FD30CCFA9E580A96B3E5EBA9321B1686BFD115CB361E771DC45CB18
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                        • Instruction ID: e27b6fd75ca879e91f53b0245d1cca8a91da751411a8e9b4164bfa56522bc755
                                        • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                                        • Instruction Fuzzy Hash: 498102B2D447298BD310CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBC0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                        • Instruction ID: ac4e045541cde1710ebd40425dc21a655f326562abb6f033ba9d9f41ad040519
                                        • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                                        • Instruction Fuzzy Hash: AB918F76C1871A8BD314CF58C88025AB7E0FB98308F09067DED99A7341D739EA55CBC5
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction ID: f922fa620c07e85364490b8a569bdb1bb75c62943272fd67802afe3f728b52d6
                                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction Fuzzy Hash: 4851BE72F006199BDB08CE98DDA16EDBBF2EB88308F249169D119E7781D7749A41CB40
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction ID: 0cc9e81c083c6c718e649c6d935bfdaac143bf2737aa5611f2aa7e416a8eb0e7
                                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction Fuzzy Hash: 213114277A441107C70CDA2BCC1679F91575BE462A70EDB796809DAF96D52CC8124184
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                        • Instruction ID: b5d87e6b231b15060a8046494bda751c0c00b6988f14994a105b93a29d6e62b6
                                        • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                                        • Instruction Fuzzy Hash: B0312A73500A051AF2018529C9443567223FFD2378F2E87A6E97787EECDA71DA07C180
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                        • Instruction ID: f7013828b3fea3a9046c45dd7a6b6b11be047a5e6b6d0b19b58fe56d9bf68d25
                                        • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                                        • Instruction Fuzzy Hash: 7F41B3B590470A8FD704CF59C89066AB3E4FF88318F454A2DED5AA7381E334EA25CB91
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                        • Instruction ID: 0abbf45b2e922f9198ad16f4afb268dd1dff3fecc230889846b18addaf93aaea
                                        • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                                        • Instruction Fuzzy Hash: 862148B1A047E707E7209E6DCCD037577D29BC2305F098279DAA08FA87D17984A2DA60
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                        • Instruction ID: b1ddd23761eea57b91c373d737f7498b585d2aaeafd3d60df669aef95aea79f4
                                        • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                                        • Instruction Fuzzy Hash: BF21077251542547C301DF2DE888677B3E1FFD431DF678A2AD9929B581C638D444EAE0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                        • Instruction ID: 35237db8a6cdb1111410a8da30067daf653354c3da71d10f4f8265353d6a6ebb
                                        • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                                        • Instruction Fuzzy Hash: 7D2102326011148FC701EF7AD98469B73E6EFC8365FA7CA3DED8157640C630E6068AA0
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                        • Instruction ID: 828b76a7c88a811ebab10300e5cacd023057c9ba2192d6b20b21e4c0c4152a3b
                                        • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                                        • Instruction Fuzzy Hash: 2901817291462E57DB189F48CC41136B390FB95312F49823ADD479B385E734F971C6D4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                        • API String ID: 3519838083-609671
                                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction ID: 203addcec7f04c3b5d9c03d8f9ab7269730688ca005a741bbfeaa91cdb8b3e32
                                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction Fuzzy Hash: 36D1C171A0420ADFCB10CFA4D990FEEF7B5FF55308F248569E055A3A50DB74AA48CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $ $$ K$, K$.$o
                                        • API String ID: 3519838083-1786814033
                                        • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                        • Instruction ID: 5dc5c8958a0220e20c62f61c58399bb0e511e7cacd49f4809f92ab78d4dd88ea
                                        • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                                        • Instruction Fuzzy Hash: A0D14931D0426D8FCF11CFAAC4907EEBBB1BF16308F64426AC491ABE40C7759916CB61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __aulldiv$H_prolog
                                        • String ID: >WJ$x$x
                                        • API String ID: 2300968129-3162267903
                                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction ID: d17cb231c7b538239dd6bba15d31c34594e005e1933e6cbf7d4df810680611f7
                                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction Fuzzy Hash: F612787190022DEFDF10DFA4C880AEDBBB5FF58318F20956AE919ABA50C7359949CF50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __aulldiv$__aullrem
                                        • String ID:
                                        • API String ID: 2022606265-0
                                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction ID: 58a92bbd7741a51fa8574eaaeed59a45631f35a4c39adf0b2ead2fcc927954b7
                                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction Fuzzy Hash: 0B218D34901219BFDF208E95CC80EDFBA69EF427A8F208626F52471694D275CD90CAF5
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C12A6F1
                                          • Part of subcall function 6C139173: __EH_prolog.LIBCMT ref: 6C139178
                                        • __EH_prolog.LIBCMT ref: 6C12A8F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: IJ$WIJ$J
                                        • API String ID: 3519838083-740443243
                                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction ID: 03401f8755fd09d3a9d836f76adcac9802a760594901d4b2be7a60de1712aaa8
                                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction Fuzzy Hash: 2971BE34904255DFDB04CFA4C480BEDBBB1FF14308F1084A9D855ABB91CB79AA8DCB91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C13E41D
                                          • Part of subcall function 6C13EE40: __EH_prolog.LIBCMT ref: 6C13EE45
                                          • Part of subcall function 6C13E8EB: __EH_prolog.LIBCMT ref: 6C13E8F0
                                          • Part of subcall function 6C13E593: __EH_prolog.LIBCMT ref: 6C13E598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: &qB$0aJ$A0$XqB
                                        • API String ID: 3519838083-1326096578
                                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction ID: cbb467d5cf0a6bc3ff792e7e2fdb7ba87229f92a423d112a1ad4bf4632aae539
                                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction Fuzzy Hash: AC21A771D05358AACB08CBE4D995AECBBB4AF25318F20406AE41673B80DB780E0CCB60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J$DJ$`J
                                        • API String ID: 3519838083-2453737217
                                        • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction ID: f496341281e25859240e5d4b1be135fc5bfc7a2bc29d148976df899af7e61f69
                                        • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction Fuzzy Hash: 2F11F5B0504B64CEC720CF5AC45029AFBE4BF65708B00CA1FC0A687B10C7F8A508CB89
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $!$@
                                        • API String ID: 3519838083-2517134481
                                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction ID: 8f52351cebcbbe5eb0bdf33ca58f48c6c5f670bc6fcb9bbc6b93e153806cabf3
                                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction Fuzzy Hash: DE125B74906249DFCB04CFA6C490ADDBBB1BF19308F14846AE845ABF51DB31E965CFA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog__aulldiv
                                        • String ID: $SJ
                                        • API String ID: 4125985754-3948962906
                                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction ID: 6d0739b42593a12f09cee33f9b5d72368f971e350332dbe65817f2b57bdb9380
                                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction Fuzzy Hash: E7B15C71D00219DFCB14DF99C894AAEBBB1FF58318B20952ED419A7B51C734AA45CF90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $CK$CK
                                        • API String ID: 3519838083-2957773085
                                        • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction ID: 5bd1cf35ee3e28da1d6ff5b65db89b6c5131d1818cbba2edbb858f3e0b43472a
                                        • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction Fuzzy Hash: 4F21B870E01219CBCB04DFE9C4901EEF7B2FF95308F55562AC516E7B91C7744A058A54
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C144ECC
                                          • Part of subcall function 6C12F58A: __EH_prolog.LIBCMT ref: 6C12F58F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :hJ$dJ$xJ
                                        • API String ID: 3519838083-2437443688
                                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction ID: dcfa1894e1108c2cbf7b87c6f2353464ec3777d62b678db52a970588b22665b6
                                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction Fuzzy Hash: 2A21DCB0805B40CFC760CF6AC14428ABBF4BF29704B00C96EC0AA97F11D7B8A548CF55
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <J$DJ$HJ$TJ$]
                                        • API String ID: 0-686860805
                                        • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction ID: 02d7f1345c3a7e8e6185b0250c94f314c1f101c17627bf471d17fed367ea8ac9
                                        • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction Fuzzy Hash: 8C41B434C09699AFCF14CFA5D490AEEB770AF2120CB60D179D12527E90FB39A64DCB11
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction ID: 785c29449c05d86e668d2d0ef2d38916d1062cf3e6b0144a315acc0925f921a6
                                        • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction Fuzzy Hash: 87119376600208BFEB215BA4CC44FAF7BBDEF85748F10841EF24956650C671AC149B70
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C11E077
                                          • Part of subcall function 6C11DFF5: __EH_prolog.LIBCMT ref: 6C11DFFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :$\
                                        • API String ID: 3519838083-1166558509
                                        • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction ID: c1daebf97ae98f7b2c7216aa6819c7e3050adb3811e4bd58c86563da0e0bb25f
                                        • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction Fuzzy Hash: C9E1B030908209DACB15DFE4C898BDDBBB1AF25318F108139D45667F90EB7DA749CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$hfJ
                                        • API String ID: 3519838083-1391159562
                                        • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction ID: c0848bdb40f35f954cbc52df20a65af9171fd2f0a4cfa2da125f7a33ecdeec2b
                                        • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction Fuzzy Hash: A2915C70910248EFCB14DF99C894ADEFBF4FF18308F94852EE555A7A90D774AA49CB10
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C138C5D
                                          • Part of subcall function 6C13761A: __EH_prolog.LIBCMT ref: 6C13761F
                                          • Part of subcall function 6C137A2E: __EH_prolog.LIBCMT ref: 6C137A33
                                          • Part of subcall function 6C138EA5: __EH_prolog.LIBCMT ref: 6C138EAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: WZJ
                                        • API String ID: 3519838083-1089469559
                                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction ID: 7cdc1a590d07ba4ef64375fa08f827be6c75bdfd0b1827fa3b819d8d177c2a17
                                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction Fuzzy Hash: 2C816931D00158DFDB15DFA4D990BDDBBB4AF19318F1080AAE416B7B90DB34AE49CB61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog__aullrem
                                        • String ID: d%K
                                        • API String ID: 3415659256-3110269457
                                        • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                        • Instruction ID: 38e56ebcf9b33562dc6122e37faf9977d220566bcfc556d578dbd0e9bf964aef
                                        • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                                        • Instruction Fuzzy Hash: 9861EF32A01229CFDF01CF56C854BEEB7F1AF55309F288059D814ABE81D735DA19CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: CK$CK
                                        • API String ID: 3519838083-2096518401
                                        • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                        • Instruction ID: 1b312886b1e5b3768b3eef8e9b0ff6c578f762e6db82d8e0fc7d34dbd4144cc8
                                        • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                                        • Instruction Fuzzy Hash: 2051B075A00319DFDB00CFA5D8C0BEEB7B5FF98358F148529D901EBA41DB74A9168B60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: PdJ$Q
                                        • API String ID: 3519838083-3674001488
                                        • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                        • Instruction ID: 3d968c206e34c5af947cc5930e8b07820d70b3482c4494b9d7c35580fd3dc2c7
                                        • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                                        • Instruction Fuzzy Hash: BD41C135D04245DBCB11DFAAC8909DDB7B0FF69718F10C12EE926A7A90C3359D45CB94
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0|J$`)L
                                        • API String ID: 3519838083-117937767
                                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction ID: 4c9e29c865a8a0aa35b73e12aaddc361b44ac15f2d604bef9dee3f26fb7f1061
                                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction Fuzzy Hash: E041A2B1605785EFDB11CF60C4A0BEABBE2FF55208F40442EE07A97B50CB756928CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: 3333
                                        • API String ID: 3732870572-2924271548
                                        • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction ID: a270fe1a5d9cbeda1d3ac458a229eda22d96794520717af471b13351c96b5397
                                        • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction Fuzzy Hash: 192191F09007046ED734CFA98881BABFAFDEB94714F10891FE186E3A40D770E9448BA5
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$LuJ
                                        • API String ID: 3519838083-205571748
                                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction ID: 3dedd2130ada2f8148e9537637a172a53da79276f2f6fb8b990ac49b05993c05
                                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction Fuzzy Hash: 1A0161F1E01249DADB10DFD988906AEF7B4FF65308F80842EE569E3A40C3785944CB95
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$xMJ
                                        • API String ID: 3519838083-951924499
                                        • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction ID: 55333e837d2214a4872593161031d4c6df46d5a7e42d3922d5569c53be2f3a4b
                                        • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction Fuzzy Hash: 1E119A75A00209DBDB00DF99C4A059EB7B0FF59308B50C42ED529E3600C3389A45CB55
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: p/K$J
                                        • API String ID: 3519838083-2069324279
                                        • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                        • Instruction ID: 6c3ce9d6073ffbce33f2c5d4d4a91b84adf6f7090076923b65db56a1078a1734
                                        • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                                        • Instruction Fuzzy Hash: 4501BCB1A117119FD724CF59C5143AAB7F4EF55729F10C85EE052A3B40C7F8A5088BA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C15AFCC
                                          • Part of subcall function 6C15A4D1: __EH_prolog.LIBCMT ref: 6C15A4D6
                                          • Part of subcall function 6C15914B: __EH_prolog.LIBCMT ref: 6C159150
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J
                                        • API String ID: 3519838083-2882003284
                                        • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                        • Instruction ID: d97a13d0e9af61e5123cf943bdd922fcab45025090bc33f238736138418f78f9
                                        • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                                        • Instruction Fuzzy Hash: C80102B1800B50CFC325CF6AC5A428AFBE0BB15308F90C95EC0AA57B50D7B8A508CB68
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1543F9
                                          • Part of subcall function 6C154320: __EH_prolog.LIBCMT ref: 6C154325
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: `)L$|{J
                                        • API String ID: 3519838083-2198066115
                                        • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                        • Instruction ID: ea68e0bf38821f3f552e080956d20e0150b48b823c9951433b0ed1c28f16d87c
                                        • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                                        • Instruction Fuzzy Hash: 89F0A072610014FFCB059F94DC04FDEBBB9FF49314F00802AF515A6660CBB56A24CB98
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: <oJ
                                        • API String ID: 3037903784-2791053824
                                        • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction ID: fc51d6e1f6189ebc1f4e4db4c8c1a5d8ea5406623381fc33dbf0559bca69fb15
                                        • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction Fuzzy Hash: 59E02232A05110DFDB089F08C820BDEF7F4EF52B24F12412FE021A3B51CBB5A800CA80
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D)K$H)K$P)K$T)K
                                        • API String ID: 0-2262112463
                                        • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                        • Instruction ID: ec846a6c05576fb03ec00c03c916ebae84470d011c1cb84172bf948e28dfa19f
                                        • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                                        • Instruction Fuzzy Hash: E651D2309082099BCF21DFA8D850BDEB7B1AF1531CF10446AE86567E80DB7D9998CFA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.2321888955.000000006C118000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C118000, based on PE: true
                                        • Associated: 00000007.00000002.2323076240.000000006C1E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000007.00000002.2323150820.000000006C1E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_6bf60000_#U5b89#U88c5#U52a9#U624b1.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (?K$8?K$H?K$CK
                                        • API String ID: 0-3450752836
                                        • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                        • Instruction ID: c51278e4dd024b9bc576ed1584e90ee47d00dfed84d180b266712c9c2b2533f4
                                        • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                                        • Instruction Fuzzy Hash: A7F030B05017009FC320CF46D54879BF7F4EB55709F50C95EE09A9BB40D3B8A5088FA9