Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
renamed because original name is a hash value
Original sample name:2.0.1.exe
Analysis ID:1580390
MD5:41e1d55f027ccbe1d6f1791b7dfa7230
SHA1:00dec8637d70bd850f93eb84a321f378bf840429
SHA256:83bc10b4f3f87db6168859335d139a1d85546fde941417bb4878a12297cc0f1c
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.1.exe (PID: 6800 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" MD5: 41E1D55F027CCBE1D6F1791B7DFA7230)
    • #U5b89#U88c5#U52a9#U624b2.0.1.tmp (PID: 6788 cmdline: "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" MD5: 1AAE13D934719B05CE28D55B93D3EAF0)
      • powershell.exe (PID: 5840 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4404 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.1.exe (PID: 2360 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT MD5: 41E1D55F027CCBE1D6F1791B7DFA7230)
        • #U5b89#U88c5#U52a9#U624b2.0.1.tmp (PID: 6136 cmdline: "C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$3043E,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT MD5: 1AAE13D934719B05CE28D55B93D3EAF0)
          • 7zr.exe (PID: 6104 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7148 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6412 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6668 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5252 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5688 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4068 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4256 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6052 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6980 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6392 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2800 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1656 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1440 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6584 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1564 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5576 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6788, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5840, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6668, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6788, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5840, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6412, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6668, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6788, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5840, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vacReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.0% probability
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2092104651.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2092206507.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA0B430 FindFirstFileA,FindClose,6_2_6CA0B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00286868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00286868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00287496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00287496
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.2049408158.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040758241.000000007FA4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040361532.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.2042348618.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.2054945634.00000000008BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040758241.000000007FA4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040361532.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.2042348618.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.2054945634.00000000008BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA15690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CA15690
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893886
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893C62
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893D18
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893D62
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C8939CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8939CF
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA162D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA162D0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C893A6A
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C891950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C891950
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C894754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C894754
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C8947546_2_6C894754
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C8A4A276_2_6C8A4A27
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA11DF06_2_6CA11DF0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA16FB36_2_6CA16FB3
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA76CE06_2_6CA76CE0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC6D106_2_6CAC6D10
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA48EA16_2_6CA48EA1
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA9AEEF6_2_6CA9AEEF
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA62EC96_2_6CA62EC9
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA948966_2_6CA94896
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CABE8106_2_6CABE810
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC69006_2_6CAC6900
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA489726_2_6CA48972
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAD4AA06_2_6CAD4AA0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAA0A526_2_6CAA0A52
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CABAB906_2_6CABAB90
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA50BCA6_2_6CA50BCA
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA60B666_2_6CA60B66
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAA84AC6_2_6CAA84AC
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CACE4D06_2_6CACE4D0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC25806_2_6CAC2580
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAAC7F36_2_6CAAC7F3
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA4C7CF6_2_6CA4C7CF
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CACE0E06_2_6CACE0E0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA97D436_2_6CA97D43
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC3D506_2_6CAC3D50
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC9E806_2_6CAC9E80
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAA1F116_2_6CAA1F11
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAB589F6_2_6CAB589F
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC99F06_2_6CAC99F0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC1AA06_2_6CAC1AA0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CABDAD06_2_6CABDAD0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CABFA506_2_6CABFA50
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA6540A6_2_6CA6540A
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA8F5EC6_2_6CA8F5EC
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CACF5C06_2_6CACF5C0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC96E06_2_6CAC96E0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CABB6506_2_6CABB650
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAE97006_2_6CAE9700
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA630926_2_6CA63092
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAC71F06_2_6CAC71F0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAB25216_2_6CAB2521
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAD37506_2_6CAD3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002C81EC10_2_002C81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003081C010_2_003081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031824010_2_00318240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F425010_2_002F4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031C3C010_2_0031C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003104C810_2_003104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F865010_2_002F8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D094310_2_002D0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FC95010_2_002FC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F8C2010_2_002F8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00310E0010_2_00310E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00314EA010_2_00314EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002E10AC10_2_002E10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030D08910_2_0030D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031112010_2_00311120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030518010_2_00305180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003191C010_2_003191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FD1D010_2_002FD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031D2C010_2_0031D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002E53F310_2_002E53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002853CF10_2_002853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031D47010_2_0031D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002CD49610_2_002CD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003154D010_2_003154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028157210_2_00281572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031155010_2_00311550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D965210_2_002D9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030D6A010_2_0030D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029976610_2_00299766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002897CA10_2_002897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031D9E010_2_0031D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00281AA110_2_00281AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00305E8010_2_00305E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00305F8010_2_00305F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029E00A10_2_0029E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003022E010_2_003022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032230010_2_00322300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002EE49F10_2_002EE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003025F010_2_003025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FA6A010_2_002FA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F66D010_2_002F66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031E99010_2_0031E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00302A8010_2_00302A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002DAB1110_2_002DAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00306CE010_2_00306CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003070D010_2_003070D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002EB12110_2_002EB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FB18010_2_002FB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031720010_2_00317200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030F3A010_2_0030F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AB3E410_2_002AB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031F3C010_2_0031F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030F42010_2_0030F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F741010_2_002F7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031353010_2_00313530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032351A10_2_0032351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FF50010_2_002FF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031F59910_2_0031F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032360110_2_00323601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F379010_2_002F3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003177C010_2_003177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AF8E010_2_002AF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FF91010_2_002FF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00307AF010_2_00307AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D3AEF10_2_002D3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029BAC910_2_0029BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00307C5010_2_00307C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029BC9210_2_0029BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FFDF010_2_002FFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: String function: 6CAE6F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: String function: 6CA49240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0031FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00281E40 appears 172 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002828E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000000.2038995185.00000000003F9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040758241.000000007FD4A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040361532.00000000032BE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@135/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA162D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CA162D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00289313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00289313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00293D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00293D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00289252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00289252
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA157B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6CA157B0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-P3MT2.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-N7K08.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$3043E,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$3043E,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic file information: File size 6118958 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2092104651.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2092206507.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_003057D0
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343abb
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: real checksum: 0x0 should be: 0x5dd25c
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343abb
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA18C5B push ecx; ret 6_2_6CA18C6E
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C8C0F00 push ss; retn 0001h6_2_6C8C0F0A
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA4B9F4 push 004AC35Ch; ret 6_2_6CA4BA0E
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAE7290 push eax; ret 6_2_6CAE72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002845F4 push 0032C35Ch; ret 10_2_0028460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031FB10 push eax; ret 10_2_0031FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031FE90 push eax; ret 10_2_0031FEBE
Source: update.vac.1.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6306Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3411Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 653Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 577Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 581Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA0B430 FindFirstFileA,FindClose,6_2_6CA0B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00286868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00286868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00287496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00287496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00289C60 GetSystemInfo,10_2_00289C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000002.2064925735.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000002.2064925735.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6C893886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C893886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA206F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA206F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_003057D0
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA1F6ED mov eax, dword ptr fs:[00000030h]6_2_6CA1F6ED
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA2A2A5 mov eax, dword ptr fs:[00000030h]6_2_6CA2A2A5
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA2A2D6 mov eax, dword ptr fs:[00000030h]6_2_6CA2A2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA206F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CA206F1
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CA1922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CA1922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6CAE7720 cpuid 6_2_6CAE7720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0028AB2A GetSystemTimeAsFileTime,10_2_0028AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00320090 GetVersion,10_2_00320090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem35
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580390 Sample: #U5b89#U88c5#U52a9#U624b2.0.1.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 90 Multi AV Scanner detection for dropped file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 PE file contains section with special chars 2->94 96 2 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b2.0.1.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b2.0.1.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b2.0.1.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b2.0.1.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.1.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.1.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040758241.000000007FA4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040361532.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.2042348618.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.2054945634.00000000008BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040758241.000000007FA4B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.2040361532.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.2042348618.0000000000161000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.2054945634.00000000008BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580390
        Start date and time:2024-12-24 12:59:08 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 14s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.1.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@135/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 76%
        • Number of executed functions: 28
        • Number of non-executed functions: 71
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 2.16.168.117, 2.16.168.102, 20.242.39.171, 13.107.246.63
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, dns.msftncsi.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.1.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:00:00API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b2.0.1.tmp modified
        07:00:02API Interceptor20x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.execVyexkZjrG.exeGet hashmaliciousUnknownBrowse
          cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                            • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.bin (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1366688
                            Entropy (8bit):7.999860182084113
                            Encrypted:true
                            SSDEEP:24576:ykszubJEHXUnZ5lDGPymP+zGKCdzE1Ec7NVbudpaG3pVDQuYyeZ8JkltMr4CZzgN:tJCUnxDGPymGkdzE1D7naaG5VDQuYye3
                            MD5:163660B027C20F57AD577359C6812B33
                            SHA1:77DB7B0BDFB312B1E74C14F3CCDE791171E49A8D
                            SHA-256:9A82396DF35501784695C4A8D0A6C31839C1ED2A14F0F0D8FC4A939831FF1E93
                            SHA-512:A8E7BF3C46482D2CB3FC5848BFB0CA924E0500FBBB1ECBB6A2439AC79E18C781C9F18C65EC8909F8B9FE1B5B325ABB82F7861C658C2B6BAFA0F9995C630CDDE2
                            Malicious:false
                            Preview:.@S.........&...............dt.-.hS...p...{.<....&......G.oN.....-.....B..._.`Q.....9vg...r..^....K.Pr......b7.cv.k.w.o........y..3."....k..T..'....Z...C.........s`,...I....b#e.........R9......f.ht.!@..).z.'$0.=.^....*U..Z....`..v..lVy.*../b...:.T..}VB.rn......p. @....|.#4,r.)8.53.........A...c.N.1..&N.O..Z.&.9/[`.5.......f..H|D.....kb...W.Xx...vm.N.dn...h.&.+.D.*f.^..m.6.Sn.^..d...... /.M.._u.-F...P..."..}.F..,.".j?.........m.m-.T...y......nN......kJ.i..w...<5.~...k&}c...=34!}.8x..I.%..j.V]"..-...ZxW.........>.#m.. .<...*.RU..5T.F......r..'E.bIiJ.............. i.=.........0.;>v.C.. t%`....J.j.9a..<....Ml.9.nZ.U.....Azy.9V.u\y.X..5../1.g@.e.I.H.....0..$..8...eU.U..x..Y..V .f.....]O6H..vE.WNA.S.t.I.L.9...2]..9.Q..u...R.. .J.4..%.7.!.v.X..5#<PEc.....}.UR..i....."U;.X..f...IO..*...#.....l..b...'..[1..F....9n.Y.Hr.eu.9WHW#.u.........}.>.24.?....RR...-.F=W3..j.....%v...$S'P?.+......X...lB.....4]....G.n.3.{......K./.....zp..F0...Y..a..]..

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-CAEJO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):1116602
                            Entropy (8bit):7.999845601264198
                            Encrypted:true
                            SSDEEP:24576:P5fyz7KSU1Mu/Nz9srsOI1fPIsaFMkul+w/clfZNoY3NB9lcSWodVo/zEH:0z7Kr5V6sOI1XIe3/cbNh3NPlPdVoIH
                            MD5:E167D6FBCB2A46EEBE2FC38F091A3BD3
                            SHA1:E0F10FF2CB7E3628FCE672143916BE714AA66391
                            SHA-256:842C85ABF00D78276A5D402908B4D97BE063CD50B9A0416589C5D2EA65C40DD0
                            SHA-512:BDC65C655684E77EFFD208E9622A506F41500651BD0B6C035C09E3FC6BB86F62115C88F24A0C1711D0F1F66E2FA06DA9055D659247F1DB15E9BA55D4C9BB71DF
                            Malicious:false
                            Preview:.....8@..\.S.D..7F....+....Z..R..&e.~&.p.p.!..Gf.64...B<..*#.............c%h....3DV...NW.^br..I..y..#.+L&D.k:y...^./....N.\.0.....U...W.&.^x....qYy.{...T.g..c._.*eC..../k...<.X...........+.L2..^..........I0Y.+..9-<...^........iq...<.D. .4........x.@%..>.5M...cq...y...D....`.;..]....@5*"_"*.W.......4.....O.9T.......OD...6PQ..V........)......57..............N......AM}..(...vM.o...<I].8...O;.........i..C;.6."*b..E..()..9Yh..i..../!L.....h.YJ2...(.._..d%....U4i>48..i]k.^.|Jm.......Y...l......<..@........Z(6q.....w.#.S|...#.......B..enr....&...+e).`....-....b.._....7$)N.;.*ha&V.V.,.dP`*A..wAS.'}"'.H.....e..]...F.'q.......^oA.x-..,...-...+T...g.R.. .t..s_.d...4,....W...,RU5l.....%l...qq...;?K.]..%..}...yZ...]o..o..@.U......q?Y..J.h.MH...u.....E.%.-........w.,.I...)...*)....g..``Z.z......_..&..y...G.O.......k.....>..%.H.K..T(.0.B..U..X....1T)].$.,....9...~.Z..].....j.....Y2x..w8....H.|O..1.:f...Sk.@tG..l..~6\:..x.$..E.K.....g....Gz...

                            C:\Program Files (x86)\Windows NT\is-P3MT2.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1366688
                            Entropy (8bit):7.999860182084113
                            Encrypted:true
                            SSDEEP:24576:ykszubJEHXUnZ5lDGPymP+zGKCdzE1Ec7NVbudpaG3pVDQuYyeZ8JkltMr4CZzgN:tJCUnxDGPymGkdzE1D7naaG5VDQuYye3
                            MD5:163660B027C20F57AD577359C6812B33
                            SHA1:77DB7B0BDFB312B1E74C14F3CCDE791171E49A8D
                            SHA-256:9A82396DF35501784695C4A8D0A6C31839C1ED2A14F0F0D8FC4A939831FF1E93
                            SHA-512:A8E7BF3C46482D2CB3FC5848BFB0CA924E0500FBBB1ECBB6A2439AC79E18C781C9F18C65EC8909F8B9FE1B5B325ABB82F7861C658C2B6BAFA0F9995C630CDDE2
                            Malicious:false
                            Preview:.@S.........&...............dt.-.hS...p...{.<....&......G.oN.....-.....B..._.`Q.....9vg...r..^....K.Pr......b7.cv.k.w.o........y..3."....k..T..'....Z...C.........s`,...I....b#e.........R9......f.ht.!@..).z.'$0.=.^....*U..Z....`..v..lVy.*../b...:.T..}VB.rn......p. @....|.#4,r.)8.53.........A...c.N.1..&N.O..Z.&.9/[`.5.......f..H|D.....kb...W.Xx...vm.N.dn...h.&.+.D.*f.^..m.6.Sn.^..d...... /.M.._u.-F...P..."..}.F..,.".j?.........m.m-.T...y......nN......kJ.i..w...<5.~...k&}c...=34!}.8x..I.%..j.V]"..-...ZxW.........>.#m.. .<...*.RU..5T.F......r..'E.bIiJ.............. i.=.........0.;>v.C.. t%`....J.j.9a..<....Ml.9.nZ.U.....Azy.9V.u\y.X..5../1.g@.e.I.H.....0..$..8...eU.U..x..Y..V .f.....]O6H..vE.WNA.S.t.I.L.9...2]..9.Q..u...R.. .J.4..%.7.!.v.X..5#<PEc.....}.UR..i....."U;.X..f...IO..*...#.....l..b...'..[1..F....9n.Y.Hr.eu.9WHW#.u.........}.>.24.?....RR...-.F=W3..j.....%v...$S'P?.+......X...lB.....4]....G.n.3.{......K./.....zp..F0...Y..a..]..

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996921999968999
                            Encrypted:true
                            SSDEEP:768:EGKpPX5PW6qfdpqmU5Vem8ibSYcDnbzqZB0avLHLfI0OB8K6OLylr3tBmh2l3lEd:Y9X5P6la55r2nXfa7LZOd6t3tBFhSm0
                            MD5:C7DDF3AF8F2B5FEC9A806B56092AF1DD
                            SHA1:5640A2ED6331DCAC5AC817BA497E793F798A8BDC
                            SHA-256:3890185FA1CC1B3B3731D4DAB64190861B2865162EC4E4DAC62C60AEADA98289
                            SHA-512:EA4496F8A65630AEFEA80EC47C2998EBC5556B6277387F13AF2308157CA7A8E0A9135D1F0C27A9A7BA8AEBEEBA36CBAF96C3F5B5A38291D7B3C7A4B74070217A
                            Malicious:false
                            Preview:.@S.....`.el ..............QO..n.z........+..........L.+....9.v..........Wq...T....<a89h....j.U..'....{8J.x.8|.0.g...K~t.qR.4..9M.........v......)T....by^.v.0.V1a.b.4..2....~[.u..V..."...QO.rl.I....#.....DH*2e..K"n.......fo..X\D.....50.....wZ3.g.....6..@...<f7....y..Z...-..P.zR..V!.6^.#....}Xu.]C..|....n.X..m.W3-B...G...N...k.T.0...>....:....5...r.N'.A...B..Vs.SC..#~.R..A.8...1.q......V]...M..G..K..7.......`A.~.S8.U.....}..../......D...~..p.....GF...C;.O`.q.c...m..;.m|.a v...p..`e.0/.h0.G.k.[.3.....C.a..nan.U........9Q..G......Wm.e?.....j-....m.z...=.U..w..Gs..v..!)...[..LFl..|....|2*.u.B{'....#J....we...N.J.v..C.Q....n..W@.=..2.6....g.|..[cT4.....T...s.2...q-....EL..S.E......Q...~......|...\nZ..`$......e.<J.......J.Ad.2.v....v.IU.D...t... ....q.^S.8+,..k.~......Q..@.....d)..*z2u..#.)?.(.F+1.`<s@.H.7..6N.).o).wnB.b.dG.P..q..%......*.&:R....-9.....j..lCy..}...w...~.|......wJ}.q1..\U...&...m._..V..........l..6b..8...L..a.6}.KA...

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996921999969004
                            Encrypted:true
                            SSDEEP:1536:VVcNVJQXv8NwowzmiDU8OtRGZDQt2WtajHvxUoQm5:ryQf0azJQ8OtRGaBgrvxVQm5
                            MD5:87672557096F6B0A3EC8684AFA54BCE1
                            SHA1:B8846DFADBB26AE4CB18294879B1C13D1DCF48A2
                            SHA-256:2C390C0DAFBCFF69F367944A596C8198351A3300F94E4527B3D361CA37A35EDF
                            SHA-512:2CAAD01135D71A7DCB36FEAFC437749D23CAFB44A4CC501B8B5BED830D172363D966AD081DC410E9EFFB2B32B953C1FD0964487F056A9C9FF614C5C2186AC066
                            Malicious:false
                            Preview:7z..'...............2.........Kn...[JUW=@-.AR.[z@..#1....5.j.Ib.x.M..Q..1..d.._.i.O}#Kr....NE:*.[.)..?..v|....h.....[..."O..{..0.....#5..UU.p^).X..7..*...4N.b.;..7....T.wUq.Z..S.3.a2x..@."..}.....C. .~.OZ?.....f..t+..%W1....0....k.`1..aJn?..M.....:r.@..2+....|?<..T`..c...S.....Ir....\.B}.\.....c>......-.Y9.:X...eJl.^.?.,...!.....{"P..5^HP.rl...v*..>\..E.Z.#.VE........3E....}{g.E...V.p....T|....K|.DI...p.v.4..y.a..a.q[.K.J. .&..I.`n.U..:.......I...+.).......2...h$....+..K..K.I6..r#J.....9..v.b._.?.=v..y....*...{.g:;Ey.He...-_.ioP].x..;y..io"~#......].T/..T.B.=.aN..P..EI..C6V..z.......k.l.....o...W-n)..%.7w._.1.....p.....$...}....67.s.).c..a.*......U......D...\..X-H.)S../W;...PAb5<..i..z....b.~.i........:z."4..9K..x..+.H.....7.)j...qbE..F.....E..Y.....Cr........q...o9:J..m.+I....KW..e7B..R.....E.....:.....QL.#.U#......."...\....c...G..hV+6.6Z.y..>._+..)^+rv.9......F-..?&.PRv.y....../......`...Szv./.`...cl.\ %XwyJ0... ..8..YqY...R.-~..H.#

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1366688
                            Entropy (8bit):7.999860182084105
                            Encrypted:true
                            SSDEEP:24576:c1Nhc/EX4XVdL9TqNs4NT5Tr+RnPFOBHXVc8gydr6ctM81I6xkSe4e:c+DVdLcJ5v+RPUZXVc8F/tZC6xk
                            MD5:D86369BB0C19CDDCBCE595A11EFE8F22
                            SHA1:57EB12346F5141F5FC607A69A908125C37610A51
                            SHA-256:F71D3505B6FC12B10D87D0A05BB113E2BDC2E96984240C0905F15D04E08E577C
                            SHA-512:BB16E39CFF28A8016E12B2FEDFF04FE5DAA8032D6F709C601D95F39768C2DC127C1588A4B53294A5F33D8E22E06C803445B40BA71E22F584EE552399950EF037
                            Malicious:false
                            Preview:7z..'... ...@.......@.......g..c..rIW...q.Z.85)H..I.HOd....D...6t.D%...@;W6.e.....`..|."....|.g.}F.KRx.. [..N{.uQg..h.....,..|xA.:(..Y^.].~H....H.rf.z(.WK...pg)..y.!_fPC....7..@....M.yX{gfm...UE.5..*.........M........r_.~.....t..F.)UX..........e...9.B...H..#/.OHm.b.onH{....."f..'..cKhw@.......Y..?...k..7N./..C......K.Y..8-E.q..?...<....Z....X....X.<...[...2..6...5.:.3..U.Y.<...6..MJ ..*..U.to......g..[.G.ou.|.e2.g....G.$j._.M.c.w..Z.~....x.fL....k..x.M..e..i.}....q.Rp......`.......k.H.&..|....?. 8..K5hwCa=.Ot...N..m.].O..A..X.4.),.7..".......NA}<.F.._.U.T..U.P"..qw>......<.*...5{|d$..C.=.$b}...............b..O..........Q.yF.....F.n....y..2.....#.6JD...F.?.c.p.y>..)..w4$X....[_..'f.....3...........@...D7o.2......8Z.D..fOk.b.M.o..<.......Qa<...[......A).!Ic....n ..j.`r.......M.....0.3.A.%f.5.[s..#.e.tX.#.$..Z..d....?.<..%r%1.J4...q....%h]y.........d...LHY-.EA....R..:..+\....E).jK./E%.%.b.....K~..Q.c..f.x.;.....\...wu...*....

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3449406240731085
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                            MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                            SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                            SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                            SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):1116602
                            Entropy (8bit):7.999845601264198
                            Encrypted:true
                            SSDEEP:24576:P5fyz7KSU1Mu/Nz9srsOI1fPIsaFMkul+w/clfZNoY3NB9lcSWodVo/zEH:0z7Kr5V6sOI1XIe3/cbNh3NPlPdVoIH
                            MD5:E167D6FBCB2A46EEBE2FC38F091A3BD3
                            SHA1:E0F10FF2CB7E3628FCE672143916BE714AA66391
                            SHA-256:842C85ABF00D78276A5D402908B4D97BE063CD50B9A0416589C5D2EA65C40DD0
                            SHA-512:BDC65C655684E77EFFD208E9622A506F41500651BD0B6C035C09E3FC6BB86F62115C88F24A0C1711D0F1F66E2FA06DA9055D659247F1DB15E9BA55D4C9BB71DF
                            Malicious:false
                            Preview:.....8@..\.S.D..7F....+....Z..R..&e.~&.p.p.!..Gf.64...B<..*#.............c%h....3DV...NW.^br..I..y..#.+L&D.k:y...^./....N.\.0.....U...W.&.^x....qYy.{...T.g..c._.*eC..../k...<.X...........+.L2..^..........I0Y.+..9-<...^........iq...<.D. .4........x.@%..>.5M...cq...y...D....`.;..]....@5*"_"*.W.......4.....O.9T.......OD...6PQ..V........)......57..............N......AM}..(...vM.o...<I].8...O;.........i..C;.6."*b..E..()..9Yh..i..../!L.....h.YJ2...(.._..d%....U4i>48..i]k.^.|Jm.......Y...l......<..@........Z(6q.....w.#.S|...#.......B..enr....&...+e).`....-....b.._....7$)N.;.*ha&V.V.,.dP`*A..wAS.'}"'.H.....e..]...F.'q.......^oA.x-..,...-...+T...g.R.. .t..s_.d...4,....W...,RU5l.....%l...qq...;?K.]..%..}...yZ...]o..o..@.U......q?Y..J.h.MH...u.....E.%.-........w.,.I...)...*)....g..``Z.z......_..&..y...G.O.......k.....>..%.H.K..T(.0.B..U..X....1T)].$.,....9...~.Z..].....j.....Y2x..w8....H.|O..1.:f...Sk.@tG..l..~6\:..x.$..E.K.....g....Gz...

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                            MD5:DA1F22117B9766A1F0220503765A5BA5
                            SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                            SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                            SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                            Malicious:false
                            Preview:@...e.................................R..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54slin2g.2fm.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_likumzgt.bpj.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msbqoee3.acu.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfs5thn2.tbf.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-7HOAQ.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530566879501966
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:1AAE13D934719B05CE28D55B93D3EAF0
                            SHA1:902693CA02CB43E5C545D4B8AB6C7BB0B7168EAE
                            SHA-256:F1E3AC54EC572C70A3D8BF8297C0C41525C8FDDAF0C1D9F525E647B6745A2E33
                            SHA-512:824DC30F433845B077C83D8B6861FBC7FD55EB2AC40E2F7E6056D397111F121795AAC8495C787BE2D418EAC55DF356B64A9F998C71B348319F1A60C237351E8A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530566879501966
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:1AAE13D934719B05CE28D55B93D3EAF0
                            SHA1:902693CA02CB43E5C545D4B8AB6C7BB0B7168EAE
                            SHA-256:F1E3AC54EC572C70A3D8BF8297C0C41525C8FDDAF0C1D9F525E647B6745A2E33
                            SHA-512:824DC30F433845B077C83D8B6861FBC7FD55EB2AC40E2F7E6056D397111F121795AAC8495C787BE2D418EAC55DF356B64A9F998C71B348319F1A60C237351E8A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-OPTHI.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.929467630490579
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
                            File size:6'118'958 bytes
                            MD5:41e1d55f027ccbe1d6f1791b7dfa7230
                            SHA1:00dec8637d70bd850f93eb84a321f378bf840429
                            SHA256:83bc10b4f3f87db6168859335d139a1d85546fde941417bb4878a12297cc0f1c
                            SHA512:d995d487df981bcba41d0b491635470cc32b4868507a743654f0bb25fdff3aa7d7ef7f5e8cf416f72c237908948e605b5e590a77fdea5b76054cb856fb329373
                            SSDEEP:98304:XwREsJXyDGAMfZaqwODvM6zEzZK4IOI1FRhhdEnkqeyMBCqNrkeEBPBbUPm/dMwZ:lQXyDmBPvMCisV17BIeyMPkFHHZ
                            TLSH:B3561213F2CBE03EE05E1B3705B2A55494FB6A21A522AD5796ECB4ECCF350601E3E647
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F072D05D2F5h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F072D0EEC7Bh
                            call 00007F072D0EE7CEh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F072D0E94A8h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F072D0573A3h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F072D0EA7D3h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F072D0EED03h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F072D0F59EAh
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F072D0EB0C8h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000f7f34886de1e0b5b09b184e0a7b8e644False0.18784466911764705data3.7243229972960936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:59:59
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
                            Imagebase:0x340000
                            File size:6'118'958 bytes
                            MD5 hash:41E1D55F027CCBE1D6F1791B7DFA7230
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:06:59:59
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-N7K08.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10438,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
                            Imagebase:0x160000
                            File size:3'366'912 bytes
                            MD5 hash:1AAE13D934719B05CE28D55B93D3EAF0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:07:00:00
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:07:00:00
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:07:00:00
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
                            Imagebase:0x340000
                            File size:6'118'958 bytes
                            MD5 hash:41E1D55F027CCBE1D6F1791B7DFA7230
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:07:00:00
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-HKLIU.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$3043E,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
                            Imagebase:0x640000
                            File size:3'366'912 bytes
                            MD5 hash:1AAE13D934719B05CE28D55B93D3EAF0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x280000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:11
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x280000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:13
                            Start time:07:00:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff6ef0c0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:21
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:07:00:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:07:00:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:07:00:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:07:00:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:07:00:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff69ec60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:07:00:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d56a0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.3%
                              Total number of Nodes:816
                              Total number of Limit Nodes:9
                              execution_graph 91458 6ca2d043 91459 6ca2d055 __dosmaperr 91458->91459 91460 6ca2d06d 91458->91460 91460->91459 91462 6ca2d0b8 __dosmaperr 91460->91462 91463 6ca2d0e7 91460->91463 91505 6ca20690 18 API calls __Getctype 91462->91505 91464 6ca2d100 91463->91464 91465 6ca2d11b __dosmaperr 91463->91465 91467 6ca2d157 __wsopen_s 91463->91467 91464->91465 91485 6ca2d105 91464->91485 91498 6ca20690 18 API calls __Getctype 91465->91498 91499 6ca24d2b HeapFree GetLastError _free 91467->91499 91469 6ca2d2ae 91472 6ca2d324 91469->91472 91475 6ca2d2c7 GetConsoleMode 91469->91475 91470 6ca2d177 91500 6ca24d2b HeapFree GetLastError _free 91470->91500 91474 6ca2d328 ReadFile 91472->91474 91477 6ca2d342 91474->91477 91478 6ca2d39c GetLastError 91474->91478 91475->91472 91479 6ca2d2d8 91475->91479 91476 6ca2d17e 91491 6ca2d132 __dosmaperr __wsopen_s 91476->91491 91501 6ca2b1d9 20 API calls __wsopen_s 91476->91501 91477->91478 91480 6ca2d319 91477->91480 91478->91491 91479->91474 91481 6ca2d2de ReadConsoleW 91479->91481 91486 6ca2d367 91480->91486 91487 6ca2d37e 91480->91487 91480->91491 91481->91480 91484 6ca2d2fa GetLastError 91481->91484 91484->91491 91493 6ca31f55 91485->91493 91503 6ca2d46e 23 API calls 3 library calls 91486->91503 91488 6ca2d395 91487->91488 91487->91491 91504 6ca2d726 21 API calls __wsopen_s 91488->91504 91502 6ca24d2b HeapFree GetLastError _free 91491->91502 91492 6ca2d39a 91492->91491 91494 6ca31f6f 91493->91494 91495 6ca31f62 91493->91495 91496 6ca31f7b 91494->91496 91506 6ca20690 18 API calls __Getctype 91494->91506 91495->91469 91496->91469 91498->91491 91499->91470 91500->91476 91501->91485 91502->91459 91503->91491 91504->91492 91505->91459 91506->91495 91507 6c894b53 91665 6ca16fb3 91507->91665 91509 6c894b5c _Yarn 91679 6ca0b430 91509->91679 91512 6c8b63b2 91776 6c8915e0 18 API calls std::ios_base::_Ios_base_dtor 91512->91776 91513 6c8a245a _Yarn _strlen 91517 6c8b639e 91513->91517 91518 6ca0b430 FindFirstFileA 91513->91518 91514 6c894cff 91515 6c895164 CreateFileA CloseHandle 91520 6c8951ec 91515->91520 91516 6c894bae std::ios_base::_Ios_base_dtor 91516->91513 91516->91514 91516->91515 91516->91517 91775 6ca206a0 18 API calls __Getctype 91517->91775 91533 6c8a2a83 std::ios_base::_Ios_base_dtor 91518->91533 91683 6ca15690 OpenSCManagerA 91520->91683 91522 6c89fc00 91768 6ca157b0 CreateToolhelp32Snapshot 91522->91768 91524 6ca16fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91560 6c895478 std::ios_base::_Ios_base_dtor _Yarn _strlen 91524->91560 91527 6ca0b430 FindFirstFileA 91527->91560 91528 6c8a37d0 Sleep 91571 6c8a37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 91528->91571 91529 6ca157b0 4 API calls 91547 6c8a053a 91529->91547 91530 6ca157b0 4 API calls 91554 6c8a12e2 91530->91554 91532 6c8b64f8 91533->91517 91687 6ca00900 91533->91687 91534 6c89ffe3 91534->91529 91539 6c8a0abc 91534->91539 91535 6c8b6ba0 104 API calls 91535->91560 91536 6c8b6e60 32 API calls 91536->91560 91538 6ca157b0 4 API calls 91538->91539 91539->91513 91539->91530 91541 6ca157b0 4 API calls 91561 6c8a1dd9 91541->91561 91542 6c8a211c 91542->91513 91543 6c8a241a 91542->91543 91546 6ca00900 11 API calls 91543->91546 91544 6ca0b430 FindFirstFileA 91544->91571 91549 6c8a244d 91546->91549 91547->91538 91547->91539 91548 6c896722 91744 6ca11df0 25 API calls 4 library calls 91548->91744 91774 6ca162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91549->91774 91551 6c8a2452 Sleep 91551->91513 91552 6c896162 91553 6c8a16ac 91554->91541 91554->91542 91554->91553 91555 6c89740b 91745 6ca15560 CreateProcessA 91555->91745 91557 6ca157b0 4 API calls 91557->91542 91560->91517 91560->91522 91560->91524 91560->91527 91560->91535 91560->91536 91560->91548 91560->91552 91725 6c8b7090 91560->91725 91738 6c8de010 91560->91738 91561->91542 91561->91557 91562 6c8b7090 77 API calls 91562->91571 91563 6c8de010 67 API calls 91563->91571 91564 6c89775a _strlen 91564->91517 91565 6c897ba9 91564->91565 91566 6c897b92 91564->91566 91569 6c897b43 _Yarn 91564->91569 91568 6ca16fb3 std::_Facet_Register 4 API calls 91565->91568 91567 6ca16fb3 std::_Facet_Register 4 API calls 91566->91567 91567->91569 91568->91569 91570 6ca0b430 FindFirstFileA 91569->91570 91580 6c897be7 std::ios_base::_Ios_base_dtor 91570->91580 91571->91517 91571->91544 91571->91562 91571->91563 91696 6c8b6ba0 91571->91696 91715 6c8b6e60 91571->91715 91572 6ca15560 4 API calls 91583 6c898a07 91572->91583 91573 6c899d68 91576 6ca16fb3 std::_Facet_Register 4 API calls 91573->91576 91574 6c899d7f 91577 6ca16fb3 std::_Facet_Register 4 API calls 91574->91577 91575 6c89962c _strlen 91575->91517 91575->91573 91575->91574 91578 6c899d18 _Yarn 91575->91578 91576->91578 91577->91578 91579 6ca0b430 FindFirstFileA 91578->91579 91586 6c899dbd std::ios_base::_Ios_base_dtor 91579->91586 91580->91517 91580->91572 91580->91575 91581 6c898387 91580->91581 91582 6ca15560 4 API calls 91591 6c899120 91582->91591 91583->91582 91584 6ca15560 4 API calls 91601 6c89a215 _strlen 91584->91601 91585 6ca15560 4 API calls 91587 6c899624 91585->91587 91586->91517 91586->91584 91592 6c89e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 91586->91592 91749 6ca162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91587->91749 91588 6ca16fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91588->91592 91590 6ca0b430 FindFirstFileA 91590->91592 91591->91585 91592->91517 91592->91588 91592->91590 91593 6c89f7b1 91592->91593 91594 6c89ed02 Sleep 91592->91594 91767 6ca162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91593->91767 91613 6c89e8c1 91594->91613 91596 6c89e8dd GetCurrentProcess TerminateProcess 91596->91592 91597 6c89a9bb 91600 6ca16fb3 std::_Facet_Register 4 API calls 91597->91600 91598 6c89a9a4 91599 6ca16fb3 std::_Facet_Register 4 API calls 91598->91599 91608 6c89a953 _Yarn _strlen 91599->91608 91600->91608 91601->91517 91601->91597 91601->91598 91601->91608 91602 6ca15560 4 API calls 91602->91613 91603 6c89fbb8 91604 6c89fbe8 ExitWindowsEx Sleep 91603->91604 91604->91522 91605 6c89f7c0 91605->91603 91606 6c89b009 91610 6ca16fb3 std::_Facet_Register 4 API calls 91606->91610 91607 6c89aff0 91609 6ca16fb3 std::_Facet_Register 4 API calls 91607->91609 91608->91512 91608->91606 91608->91607 91611 6c89afa0 _Yarn 91608->91611 91609->91611 91610->91611 91750 6ca15ed0 91611->91750 91613->91592 91613->91596 91613->91602 91614 6c89b059 std::ios_base::_Ios_base_dtor _strlen 91614->91517 91615 6c89b42c 91614->91615 91616 6c89b443 91614->91616 91619 6c89b3da _Yarn _strlen 91614->91619 91618 6ca16fb3 std::_Facet_Register 4 API calls 91615->91618 91617 6ca16fb3 std::_Facet_Register 4 API calls 91616->91617 91617->91619 91618->91619 91619->91512 91620 6c89b79e 91619->91620 91621 6c89b7b7 91619->91621 91624 6c89b751 _Yarn 91619->91624 91622 6ca16fb3 std::_Facet_Register 4 API calls 91620->91622 91623 6ca16fb3 std::_Facet_Register 4 API calls 91621->91623 91622->91624 91623->91624 91625 6ca15ed0 104 API calls 91624->91625 91626 6c89b804 std::ios_base::_Ios_base_dtor _strlen 91625->91626 91626->91517 91627 6c89bc0f 91626->91627 91628 6c89bc26 91626->91628 91631 6c89bbbd _Yarn _strlen 91626->91631 91629 6ca16fb3 std::_Facet_Register 4 API calls 91627->91629 91630 6ca16fb3 std::_Facet_Register 4 API calls 91628->91630 91629->91631 91630->91631 91631->91512 91632 6c89c08e 91631->91632 91633 6c89c075 91631->91633 91636 6c89c028 _Yarn 91631->91636 91635 6ca16fb3 std::_Facet_Register 4 API calls 91632->91635 91634 6ca16fb3 std::_Facet_Register 4 API calls 91633->91634 91634->91636 91635->91636 91637 6ca15ed0 104 API calls 91636->91637 91642 6c89c0db std::ios_base::_Ios_base_dtor _strlen 91637->91642 91638 6c89c7bc 91640 6ca16fb3 std::_Facet_Register 4 API calls 91638->91640 91639 6c89c7a5 91641 6ca16fb3 std::_Facet_Register 4 API calls 91639->91641 91649 6c89c753 _Yarn _strlen 91640->91649 91641->91649 91642->91517 91642->91638 91642->91639 91642->91649 91643 6c89d3ed 91645 6ca16fb3 std::_Facet_Register 4 API calls 91643->91645 91644 6c89d406 91646 6ca16fb3 std::_Facet_Register 4 API calls 91644->91646 91647 6c89d39a _Yarn 91645->91647 91646->91647 91648 6ca15ed0 104 API calls 91647->91648 91650 6c89d458 std::ios_base::_Ios_base_dtor _strlen 91648->91650 91649->91512 91649->91643 91649->91644 91649->91647 91655 6c89cb2f 91649->91655 91650->91517 91651 6c89d8bb 91650->91651 91652 6c89d8a4 91650->91652 91656 6c89d852 _Yarn _strlen 91650->91656 91654 6ca16fb3 std::_Facet_Register 4 API calls 91651->91654 91653 6ca16fb3 std::_Facet_Register 4 API calls 91652->91653 91653->91656 91654->91656 91656->91512 91657 6c89dccf 91656->91657 91658 6c89dcb6 91656->91658 91661 6c89dc69 _Yarn 91656->91661 91660 6ca16fb3 std::_Facet_Register 4 API calls 91657->91660 91659 6ca16fb3 std::_Facet_Register 4 API calls 91658->91659 91659->91661 91660->91661 91662 6ca15ed0 104 API calls 91661->91662 91664 6c89dd1c std::ios_base::_Ios_base_dtor 91662->91664 91663 6ca15560 4 API calls 91663->91592 91664->91517 91664->91663 91667 6ca16fb8 91665->91667 91666 6ca16fd2 91666->91509 91667->91666 91670 6ca16fd4 std::_Facet_Register 91667->91670 91777 6ca1f584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 91667->91777 91669 6ca17e33 std::_Facet_Register 91781 6ca198e9 RaiseException 91669->91781 91670->91669 91778 6ca198e9 RaiseException 91670->91778 91672 6ca1862c IsProcessorFeaturePresent 91678 6ca18651 91672->91678 91674 6ca17df3 91779 6ca198e9 RaiseException 91674->91779 91676 6ca17e13 std::invalid_argument::invalid_argument 91780 6ca198e9 RaiseException 91676->91780 91678->91509 91680 6ca0b444 91679->91680 91681 6ca0b446 FindFirstFileA 91679->91681 91680->91681 91682 6ca0b480 91681->91682 91682->91516 91684 6ca156c6 91683->91684 91685 6ca15758 OpenServiceA 91684->91685 91686 6ca1579f 91684->91686 91685->91684 91686->91560 91693 6ca00913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 91687->91693 91688 6ca0367e CloseHandle 91688->91693 91689 6ca044cf CloseHandle 91689->91693 91690 6ca02a8b CloseHandle 91690->91693 91691 6c8a37cb 91695 6ca162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 91691->91695 91692 6c9ec750 WriteFile WriteFile WriteFile ReadFile 91692->91693 91693->91688 91693->91689 91693->91690 91693->91691 91693->91692 91782 6c9ebca0 91693->91782 91695->91528 91697 6c8b6bd5 91696->91697 91793 6c8e2020 91697->91793 91699 6c8b6c68 91700 6ca16fb3 std::_Facet_Register 4 API calls 91699->91700 91701 6c8b6ca0 91700->91701 91810 6ca17897 91701->91810 91703 6c8b6cb4 91822 6c8e1d90 91703->91822 91706 6c8b6d8e 91706->91571 91708 6c8b6dc8 91830 6c8e26e0 24 API calls 4 library calls 91708->91830 91710 6c8b6dda 91831 6ca198e9 RaiseException 91710->91831 91712 6c8b6def 91713 6c8de010 67 API calls 91712->91713 91714 6c8b6e0f 91713->91714 91714->91571 91716 6c8b6e9f 91715->91716 91719 6c8b6eb3 91716->91719 92221 6c8e3560 32 API calls std::_Xinvalid_argument 91716->92221 91722 6c8b6f5b 91719->91722 92223 6c8e2250 30 API calls 91719->92223 92224 6c8e26e0 24 API calls 4 library calls 91719->92224 92225 6ca198e9 RaiseException 91719->92225 91721 6c8b6f6e 91721->91571 91722->91721 92222 6c8e37e0 32 API calls std::_Xinvalid_argument 91722->92222 91726 6c8b709e 91725->91726 91727 6c8b70d1 91725->91727 92226 6c8e01f0 91726->92226 91728 6c8b7183 91727->91728 92230 6c8e2250 30 API calls 91727->92230 91728->91560 91731 6ca21088 67 API calls 91731->91727 91733 6c8b71ae 92231 6c8e2340 24 API calls 91733->92231 91735 6c8b71be 92232 6ca198e9 RaiseException 91735->92232 91737 6c8b71c9 91740 6c8de04b 91738->91740 91739 6c8de0a3 91739->91560 91740->91739 91741 6c8e01f0 64 API calls 91740->91741 91742 6c8de098 91741->91742 91743 6ca21088 67 API calls 91742->91743 91743->91739 91744->91555 91746 6ca1563a 91745->91746 91747 6ca155f0 WaitForSingleObject CloseHandle CloseHandle 91746->91747 91748 6ca15653 91746->91748 91747->91746 91748->91564 91749->91575 91751 6ca15f27 91750->91751 92278 6ca16560 91751->92278 91753 6ca15f38 91754 6c8b6ba0 104 API calls 91753->91754 91760 6ca15f5c 91754->91760 91755 6ca15fd7 91756 6c8de010 67 API calls 91755->91756 91757 6ca1600f std::ios_base::_Ios_base_dtor 91756->91757 91761 6c8de010 67 API calls 91757->91761 91759 6ca15fc4 92315 6ca16100 91759->92315 91760->91755 91760->91759 92297 6ca168b0 91760->92297 92305 6c8f2370 91760->92305 91764 6ca16052 std::ios_base::_Ios_base_dtor 91761->91764 91764->91614 91765 6ca15fcc 91766 6c8b7090 77 API calls 91765->91766 91766->91755 91767->91605 91771 6ca15810 std::locale::_Setgloballocale 91768->91771 91769 6ca15890 Process32NextW 91769->91771 91770 6ca157e7 CloseHandle 91770->91771 91771->91769 91771->91770 91772 6ca15921 91771->91772 91773 6ca158b5 Process32FirstW 91771->91773 91772->91534 91773->91771 91774->91551 91776->91532 91777->91667 91778->91674 91779->91676 91780->91669 91781->91672 91783 6c9ebcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 91782->91783 91784 6c9ec6f0 91783->91784 91785 6c9ec25d CreateFileA 91783->91785 91787 6c9eafa0 91783->91787 91784->91693 91785->91783 91788 6c9eafb3 __wsopen_s std::locale::_Setgloballocale 91787->91788 91789 6c9eb959 WriteFile 91788->91789 91790 6c9eb9ad WriteFile 91788->91790 91791 6c9ebc88 91788->91791 91792 6c9eb105 ReadFile 91788->91792 91789->91788 91790->91788 91791->91783 91792->91788 91794 6ca16fb3 std::_Facet_Register 4 API calls 91793->91794 91795 6c8e207e 91794->91795 91796 6ca17897 43 API calls 91795->91796 91797 6c8e2092 91796->91797 91832 6c8e2f60 42 API calls 4 library calls 91797->91832 91799 6c8e210d 91805 6c8e2120 91799->91805 91833 6ca174fe 9 API calls 2 library calls 91799->91833 91800 6c8e20c8 91800->91799 91801 6c8e2136 91800->91801 91834 6c8e2250 30 API calls 91801->91834 91804 6c8e215b 91835 6c8e2340 24 API calls 91804->91835 91805->91699 91807 6c8e2171 91836 6ca198e9 RaiseException 91807->91836 91809 6c8e217c 91809->91699 91811 6ca178a3 __EH_prolog3 91810->91811 91837 6ca17425 91811->91837 91816 6ca178c1 91851 6ca1792a 39 API calls std::locale::_Setgloballocale 91816->91851 91817 6ca1791c 91817->91703 91819 6ca178c9 91852 6ca17721 HeapFree GetLastError _Yarn 91819->91852 91821 6ca178df 91843 6ca17456 91821->91843 91823 6c8e1ddc 91822->91823 91824 6c8b6d5d 91822->91824 91857 6ca179b7 91823->91857 91824->91706 91829 6c8e2250 30 API calls 91824->91829 91828 6c8e1e82 91829->91708 91830->91710 91831->91712 91832->91800 91833->91805 91834->91804 91835->91807 91836->91809 91838 6ca17434 91837->91838 91839 6ca1743b 91837->91839 91853 6ca2093d 6 API calls std::_Lockit::_Lockit 91838->91853 91840 6ca17439 91839->91840 91854 6ca18afb EnterCriticalSection 91839->91854 91840->91821 91850 6ca177a0 6 API calls 2 library calls 91840->91850 91844 6ca17460 91843->91844 91845 6ca2094b 91843->91845 91847 6ca17473 91844->91847 91855 6ca18b09 LeaveCriticalSection 91844->91855 91856 6ca20926 LeaveCriticalSection 91845->91856 91847->91817 91848 6ca20952 91848->91817 91850->91816 91851->91819 91852->91821 91853->91840 91854->91840 91855->91847 91856->91848 91858 6ca179c0 91857->91858 91859 6c8e1dea 91858->91859 91866 6ca202ba 91858->91866 91859->91824 91865 6ca1cad3 18 API calls __Getctype 91859->91865 91861 6ca17a0c 91861->91859 91877 6ca1ffc8 65 API calls 91861->91877 91863 6ca17a27 91863->91859 91878 6ca21088 91863->91878 91865->91828 91868 6ca202c5 __wsopen_s 91866->91868 91867 6ca202d8 91903 6ca20690 18 API calls __Getctype 91867->91903 91868->91867 91869 6ca202f8 91868->91869 91873 6ca202e8 91869->91873 91889 6ca2b37c 91869->91889 91873->91861 91877->91863 91879 6ca21094 __wsopen_s 91878->91879 91880 6ca210b3 91879->91880 91881 6ca2109e 91879->91881 91885 6ca210ae 91880->91885 92084 6ca1cb19 EnterCriticalSection 91880->92084 92099 6ca20690 18 API calls __Getctype 91881->92099 91883 6ca210d0 92085 6ca2110c 91883->92085 91885->91859 91887 6ca210db 92100 6ca21102 LeaveCriticalSection 91887->92100 91890 6ca2b388 __wsopen_s 91889->91890 91905 6ca2090f EnterCriticalSection 91890->91905 91892 6ca2b396 91906 6ca2b420 91892->91906 91897 6ca2b4e2 91898 6ca2b601 91897->91898 91930 6ca2b684 91898->91930 91902 6ca2033c 91904 6ca20365 LeaveCriticalSection 91902->91904 91903->91873 91904->91873 91905->91892 91907 6ca2b443 91906->91907 91908 6ca2b49b 91907->91908 91915 6ca2b3a3 91907->91915 91923 6ca1cb19 EnterCriticalSection 91907->91923 91924 6ca1cb2d LeaveCriticalSection 91907->91924 91925 6ca27755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 91908->91925 91910 6ca2b4a4 91926 6ca24d2b HeapFree GetLastError _free 91910->91926 91913 6ca2b4ad 91913->91915 91927 6ca2718f 6 API calls std::_Lockit::_Lockit 91913->91927 91920 6ca2b3dc 91915->91920 91917 6ca2b4cc 91928 6ca1cb19 EnterCriticalSection 91917->91928 91919 6ca2b4df 91919->91915 91929 6ca20926 LeaveCriticalSection 91920->91929 91922 6ca20313 91922->91873 91922->91897 91923->91907 91924->91907 91925->91910 91926->91913 91927->91917 91928->91919 91929->91922 91931 6ca2b6a3 91930->91931 91932 6ca2b6b6 91931->91932 91936 6ca2b6cb 91931->91936 91946 6ca20690 18 API calls __Getctype 91932->91946 91934 6ca2b617 91934->91902 91943 6ca3454e 91934->91943 91941 6ca2b7eb 91936->91941 91947 6ca34418 37 API calls __Getctype 91936->91947 91938 6ca2b83b 91938->91941 91948 6ca34418 37 API calls __Getctype 91938->91948 91940 6ca2b859 91940->91941 91949 6ca34418 37 API calls __Getctype 91940->91949 91941->91934 91950 6ca20690 18 API calls __Getctype 91941->91950 91951 6ca34906 91943->91951 91946->91934 91947->91938 91948->91940 91949->91941 91950->91934 91952 6ca34912 __wsopen_s 91951->91952 91953 6ca34919 91952->91953 91954 6ca34944 91952->91954 91969 6ca20690 18 API calls __Getctype 91953->91969 91960 6ca3456e 91954->91960 91959 6ca34569 91959->91902 91971 6ca20c3b 91960->91971 91965 6ca345a4 91967 6ca345d6 91965->91967 92011 6ca24d2b HeapFree GetLastError _free 91965->92011 91970 6ca3499b LeaveCriticalSection __wsopen_s 91967->91970 91969->91959 91970->91959 92012 6ca1c25b 91971->92012 91975 6ca20c5f 91976 6ca1c366 91975->91976 92021 6ca1c3be 91976->92021 91978 6ca1c37e 91978->91965 91979 6ca345dc 91978->91979 92036 6ca34a5c 91979->92036 91985 6ca3460e __dosmaperr 91985->91965 91986 6ca34702 GetFileType 91987 6ca34754 91986->91987 91988 6ca3470d GetLastError 91986->91988 92066 6ca31d20 SetStdHandle __dosmaperr __wsopen_s 91987->92066 92065 6ca1ff62 __dosmaperr _free 91988->92065 91989 6ca346d7 GetLastError 91989->91985 91991 6ca34685 91991->91986 91991->91989 92064 6ca349c7 CreateFileW 91991->92064 91992 6ca3471b CloseHandle 91992->91985 92007 6ca34744 91992->92007 91995 6ca346ca 91995->91986 91995->91989 91996 6ca34775 91997 6ca347c1 91996->91997 92067 6ca34bd6 70 API calls 2 library calls 91996->92067 92001 6ca347c8 91997->92001 92081 6ca34c80 70 API calls 2 library calls 91997->92081 92000 6ca347f6 92000->92001 92002 6ca34804 92000->92002 92068 6ca2be95 92001->92068 92002->91985 92004 6ca34880 CloseHandle 92002->92004 92082 6ca349c7 CreateFileW 92004->92082 92006 6ca348ab 92006->92007 92008 6ca348b5 GetLastError 92006->92008 92007->91985 92009 6ca348c1 __dosmaperr 92008->92009 92083 6ca31c8f SetStdHandle __dosmaperr __wsopen_s 92009->92083 92011->91967 92013 6ca1c27b 92012->92013 92019 6ca1c272 92012->92019 92014 6ca24f22 __Getctype 37 API calls 92013->92014 92013->92019 92015 6ca1c29b 92014->92015 92016 6ca25498 __Getctype 37 API calls 92015->92016 92017 6ca1c2b1 92016->92017 92018 6ca254c5 __fassign 37 API calls 92017->92018 92018->92019 92019->91975 92020 6ca26f45 5 API calls std::_Lockit::_Lockit 92019->92020 92020->91975 92022 6ca1c3e6 92021->92022 92023 6ca1c3cc 92021->92023 92024 6ca1c3ed 92022->92024 92025 6ca1c40c 92022->92025 92026 6ca1c34c __wsopen_s HeapFree GetLastError 92023->92026 92027 6ca1c3d6 __dosmaperr 92024->92027 92029 6ca1c30d __wsopen_s HeapFree GetLastError 92024->92029 92028 6ca24db3 __fassign MultiByteToWideChar 92025->92028 92026->92027 92027->91978 92031 6ca1c41b 92028->92031 92029->92027 92030 6ca1c422 GetLastError 92030->92027 92031->92030 92032 6ca1c448 92031->92032 92033 6ca1c30d __wsopen_s HeapFree GetLastError 92031->92033 92032->92027 92034 6ca24db3 __fassign MultiByteToWideChar 92032->92034 92033->92032 92035 6ca1c45f 92034->92035 92035->92027 92035->92030 92038 6ca34a97 92036->92038 92039 6ca34a7d 92036->92039 92037 6ca349ec __wsopen_s 18 API calls 92043 6ca34acf 92037->92043 92038->92037 92039->92038 92040 6ca20690 __Getctype 18 API calls 92039->92040 92040->92038 92041 6ca34afe 92042 6ca35e81 __wsopen_s 18 API calls 92041->92042 92047 6ca345f9 92041->92047 92044 6ca34b4c 92042->92044 92043->92041 92046 6ca20690 __Getctype 18 API calls 92043->92046 92045 6ca34bc9 92044->92045 92044->92047 92048 6ca206bd __Getctype 11 API calls 92045->92048 92046->92041 92047->91985 92050 6ca31b7c 92047->92050 92049 6ca34bd5 92048->92049 92051 6ca31b88 __wsopen_s 92050->92051 92052 6ca2090f std::_Lockit::_Lockit EnterCriticalSection 92051->92052 92053 6ca31b8f 92052->92053 92054 6ca31bb4 92053->92054 92059 6ca31c23 EnterCriticalSection 92053->92059 92060 6ca31bd6 92053->92060 92056 6ca31db2 __wsopen_s 11 API calls 92054->92056 92055 6ca31c86 __wsopen_s LeaveCriticalSection 92057 6ca31bf6 92055->92057 92058 6ca31bb9 92056->92058 92057->91985 92063 6ca349c7 CreateFileW 92057->92063 92058->92060 92062 6ca31f00 __wsopen_s EnterCriticalSection 92058->92062 92059->92060 92061 6ca31c30 LeaveCriticalSection 92059->92061 92060->92055 92061->92053 92062->92060 92063->91991 92064->91995 92065->91992 92066->91996 92067->91997 92069 6ca31b12 __wsopen_s 18 API calls 92068->92069 92071 6ca2bea5 92069->92071 92070 6ca2beab 92073 6ca31c8f __wsopen_s SetStdHandle 92070->92073 92071->92070 92072 6ca2bedd 92071->92072 92074 6ca31b12 __wsopen_s 18 API calls 92071->92074 92072->92070 92075 6ca31b12 __wsopen_s 18 API calls 92072->92075 92080 6ca2bf03 __dosmaperr 92073->92080 92076 6ca2bed4 92074->92076 92077 6ca2bee9 CloseHandle 92075->92077 92078 6ca31b12 __wsopen_s 18 API calls 92076->92078 92077->92070 92079 6ca2bef5 GetLastError 92077->92079 92078->92072 92079->92070 92080->91985 92081->92000 92082->92006 92083->92007 92084->91883 92086 6ca2112e 92085->92086 92087 6ca21119 92085->92087 92091 6ca21129 92086->92091 92101 6ca21229 92086->92101 92123 6ca20690 18 API calls __Getctype 92087->92123 92091->91887 92095 6ca21151 92116 6ca2be08 92095->92116 92097 6ca21157 92097->92091 92124 6ca24d2b HeapFree GetLastError _free 92097->92124 92099->91885 92100->91885 92102 6ca21241 92101->92102 92106 6ca21143 92101->92106 92103 6ca2a1d0 18 API calls 92102->92103 92102->92106 92104 6ca2125f 92103->92104 92125 6ca2c0dc 92104->92125 92107 6ca28cae 92106->92107 92108 6ca28cc5 92107->92108 92109 6ca2114b 92107->92109 92108->92109 92208 6ca24d2b HeapFree GetLastError _free 92108->92208 92111 6ca2a1d0 92109->92111 92112 6ca2a1f1 92111->92112 92113 6ca2a1dc 92111->92113 92112->92095 92209 6ca20690 18 API calls __Getctype 92113->92209 92115 6ca2a1ec 92115->92095 92117 6ca2be2e 92116->92117 92121 6ca2be19 __dosmaperr 92116->92121 92118 6ca2be55 92117->92118 92120 6ca2be77 __dosmaperr 92117->92120 92210 6ca2bf31 92118->92210 92218 6ca20690 18 API calls __Getctype 92120->92218 92121->92097 92123->92091 92124->92091 92126 6ca2c0e8 __wsopen_s 92125->92126 92127 6ca2c13a 92126->92127 92128 6ca2c1a3 __dosmaperr 92126->92128 92132 6ca2c0f0 __dosmaperr 92126->92132 92136 6ca31f00 EnterCriticalSection 92127->92136 92166 6ca20690 18 API calls __Getctype 92128->92166 92130 6ca2c140 92134 6ca2c15c __dosmaperr 92130->92134 92137 6ca2c1ce 92130->92137 92132->92106 92165 6ca2c19b LeaveCriticalSection __wsopen_s 92134->92165 92136->92130 92138 6ca2c1f0 92137->92138 92164 6ca2c20c __dosmaperr 92137->92164 92139 6ca2c244 92138->92139 92141 6ca2c1f4 __dosmaperr 92138->92141 92140 6ca2c257 92139->92140 92175 6ca2b1d9 20 API calls __wsopen_s 92139->92175 92167 6ca2c3b0 92140->92167 92174 6ca20690 18 API calls __Getctype 92141->92174 92146 6ca2c2ac 92148 6ca2c2c0 92146->92148 92149 6ca2c305 WriteFile 92146->92149 92147 6ca2c26d 92150 6ca2c271 92147->92150 92151 6ca2c296 92147->92151 92154 6ca2c2f5 92148->92154 92155 6ca2c2cb 92148->92155 92152 6ca2c329 GetLastError 92149->92152 92149->92164 92150->92164 92176 6ca2c7cb 6 API calls __wsopen_s 92150->92176 92177 6ca2c421 43 API calls 5 library calls 92151->92177 92152->92164 92180 6ca2c833 7 API calls 2 library calls 92154->92180 92156 6ca2c2d0 92155->92156 92157 6ca2c2e5 92155->92157 92160 6ca2c2d5 92156->92160 92156->92164 92179 6ca2c9f7 8 API calls 3 library calls 92157->92179 92178 6ca2c90e 7 API calls 2 library calls 92160->92178 92162 6ca2c2e3 92162->92164 92164->92134 92165->92132 92166->92132 92168 6ca31f55 __wsopen_s 18 API calls 92167->92168 92169 6ca2c3c1 92168->92169 92173 6ca2c268 92169->92173 92181 6ca24f22 GetLastError 92169->92181 92172 6ca2c3fe GetConsoleMode 92172->92173 92173->92146 92173->92147 92174->92164 92175->92140 92176->92164 92177->92164 92178->92162 92179->92162 92180->92162 92182 6ca24f3f 92181->92182 92183 6ca24f39 92181->92183 92184 6ca270d2 __Getctype 6 API calls 92182->92184 92189 6ca24f45 SetLastError 92182->92189 92185 6ca27093 __Getctype 6 API calls 92183->92185 92186 6ca24f5d 92184->92186 92185->92182 92187 6ca24f61 92186->92187 92186->92189 92188 6ca27755 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 92187->92188 92190 6ca24f6d 92188->92190 92194 6ca24fd3 92189->92194 92195 6ca24fd9 92189->92195 92192 6ca24f75 92190->92192 92193 6ca24f8c 92190->92193 92196 6ca270d2 __Getctype 6 API calls 92192->92196 92198 6ca270d2 __Getctype 6 API calls 92193->92198 92194->92172 92194->92173 92197 6ca21039 __Getctype 35 API calls 92195->92197 92199 6ca24f83 92196->92199 92200 6ca24fde 92197->92200 92201 6ca24f98 92198->92201 92205 6ca24d2b _free HeapFree GetLastError 92199->92205 92202 6ca24f9c 92201->92202 92203 6ca24fad 92201->92203 92204 6ca270d2 __Getctype 6 API calls 92202->92204 92207 6ca24d2b _free HeapFree GetLastError 92203->92207 92204->92199 92206 6ca24f89 92205->92206 92206->92189 92207->92206 92208->92109 92209->92115 92211 6ca2bf3d __wsopen_s 92210->92211 92219 6ca31f00 EnterCriticalSection 92211->92219 92213 6ca2bf4b 92214 6ca2be95 __wsopen_s 21 API calls 92213->92214 92215 6ca2bf78 92213->92215 92214->92215 92220 6ca2bfb1 LeaveCriticalSection __wsopen_s 92215->92220 92217 6ca2bf9a 92217->92121 92218->92121 92219->92213 92220->92217 92221->91719 92222->91721 92223->91719 92224->91719 92225->91719 92227 6c8e022e 92226->92227 92228 6c8b70c4 92227->92228 92233 6ca21d4b 92227->92233 92228->91731 92230->91733 92231->91735 92232->91737 92234 6ca21d76 92233->92234 92235 6ca21d59 92233->92235 92234->92227 92235->92234 92236 6ca21d66 92235->92236 92237 6ca21d7a 92235->92237 92249 6ca20690 18 API calls __Getctype 92236->92249 92241 6ca21f72 92237->92241 92242 6ca21f7e __wsopen_s 92241->92242 92250 6ca1cb19 EnterCriticalSection 92242->92250 92244 6ca21f8c 92251 6ca21f2f 92244->92251 92248 6ca21dac 92248->92227 92249->92234 92250->92244 92259 6ca28b16 92251->92259 92257 6ca21f69 92258 6ca21fc1 LeaveCriticalSection 92257->92258 92258->92248 92260 6ca2a1d0 18 API calls 92259->92260 92261 6ca28b27 92260->92261 92262 6ca31f55 __wsopen_s 18 API calls 92261->92262 92264 6ca28b2d __wsopen_s 92262->92264 92263 6ca21f43 92266 6ca21dae 92263->92266 92264->92263 92276 6ca24d2b HeapFree GetLastError _free 92264->92276 92268 6ca21dc0 92266->92268 92270 6ca21dde 92266->92270 92267 6ca21dce 92277 6ca20690 18 API calls __Getctype 92267->92277 92268->92267 92268->92270 92273 6ca21df6 _Yarn 92268->92273 92275 6ca28bc9 62 API calls 92270->92275 92271 6ca21229 62 API calls 92271->92273 92272 6ca2a1d0 18 API calls 92272->92273 92273->92270 92273->92271 92273->92272 92274 6ca2c0dc __wsopen_s 62 API calls 92273->92274 92274->92273 92275->92257 92276->92263 92277->92270 92279 6ca16595 92278->92279 92280 6c8e2020 52 API calls 92279->92280 92281 6ca16636 92280->92281 92282 6ca16fb3 std::_Facet_Register 4 API calls 92281->92282 92283 6ca1666e 92282->92283 92284 6ca17897 43 API calls 92283->92284 92285 6ca16682 92284->92285 92286 6c8e1d90 89 API calls 92285->92286 92287 6ca1672b 92286->92287 92288 6ca1675c 92287->92288 92330 6c8e2250 30 API calls 92287->92330 92288->91753 92290 6ca16796 92331 6c8e26e0 24 API calls 4 library calls 92290->92331 92292 6ca167a8 92332 6ca198e9 RaiseException 92292->92332 92294 6ca167bd 92295 6c8de010 67 API calls 92294->92295 92296 6ca167cf 92295->92296 92296->91753 92298 6ca168fd 92297->92298 92333 6ca16b10 92298->92333 92300 6ca169ec 92300->91760 92304 6ca16915 92304->92300 92351 6c8e2250 30 API calls 92304->92351 92352 6c8e26e0 24 API calls 4 library calls 92304->92352 92353 6ca198e9 RaiseException 92304->92353 92306 6c8f23af 92305->92306 92309 6c8f23c3 92306->92309 92362 6c8e3560 32 API calls std::_Xinvalid_argument 92306->92362 92310 6c8f247e 92309->92310 92364 6c8e2250 30 API calls 92309->92364 92365 6c8e26e0 24 API calls 4 library calls 92309->92365 92366 6ca198e9 RaiseException 92309->92366 92311 6c8f2491 92310->92311 92363 6c8e37e0 32 API calls std::_Xinvalid_argument 92310->92363 92311->91760 92316 6ca1610e 92315->92316 92320 6ca16141 92315->92320 92317 6c8e01f0 64 API calls 92316->92317 92319 6ca16134 92317->92319 92318 6ca161f3 92318->91765 92321 6ca21088 67 API calls 92319->92321 92320->92318 92367 6c8e2250 30 API calls 92320->92367 92321->92320 92323 6ca1621e 92368 6c8e2340 24 API calls 92323->92368 92325 6ca1622e 92369 6ca198e9 RaiseException 92325->92369 92327 6ca16239 92328 6c8de010 67 API calls 92327->92328 92329 6ca16292 std::ios_base::_Ios_base_dtor 92328->92329 92329->91765 92330->92290 92331->92292 92332->92294 92334 6ca16b78 92333->92334 92335 6ca16b4c 92333->92335 92338 6ca16b89 92334->92338 92354 6c8e3560 32 API calls std::_Xinvalid_argument 92334->92354 92336 6ca16b71 92335->92336 92356 6c8e2250 30 API calls 92335->92356 92336->92304 92338->92336 92355 6c8e2f60 42 API calls 4 library calls 92338->92355 92340 6ca16d58 92357 6c8e2340 24 API calls 92340->92357 92342 6ca16d67 92358 6ca198e9 RaiseException 92342->92358 92346 6ca16d97 92360 6c8e2340 24 API calls 92346->92360 92348 6ca16dad 92361 6ca198e9 RaiseException 92348->92361 92350 6ca16bc3 92350->92336 92359 6c8e2250 30 API calls 92350->92359 92351->92304 92352->92304 92353->92304 92354->92338 92355->92350 92356->92340 92357->92342 92358->92350 92359->92346 92360->92348 92361->92336 92362->92309 92363->92311 92364->92309 92365->92309 92366->92309 92367->92323 92368->92325 92369->92327 92370 6c893d62 92372 6c893bc0 92370->92372 92371 6c893e8a GetCurrentThread NtSetInformationThread 92373 6c893eea 92371->92373 92372->92371 92374 6c8a4a27 92376 6c8a4a5d _strlen 92374->92376 92375 6c8b639e 92465 6ca206a0 18 API calls __Getctype 92375->92465 92376->92375 92377 6c8a5b58 92376->92377 92378 6c8a5b6f 92376->92378 92382 6c8a5b09 _Yarn 92376->92382 92381 6ca16fb3 std::_Facet_Register 4 API calls 92377->92381 92379 6ca16fb3 std::_Facet_Register 4 API calls 92378->92379 92379->92382 92381->92382 92383 6ca0b430 FindFirstFileA 92382->92383 92385 6c8a5bad std::ios_base::_Ios_base_dtor 92383->92385 92384 6ca15560 4 API calls 92392 6c8a61cb _strlen 92384->92392 92385->92375 92385->92384 92388 6c8a9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 92385->92388 92386 6ca16fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 92386->92388 92387 6ca0b430 FindFirstFileA 92387->92388 92388->92375 92388->92386 92388->92387 92389 6c8aa292 Sleep 92388->92389 92408 6c8ae619 92388->92408 92455 6c8a9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 92389->92455 92390 6c8a660d 92393 6ca16fb3 std::_Facet_Register 4 API calls 92390->92393 92391 6c8a6624 92394 6ca16fb3 std::_Facet_Register 4 API calls 92391->92394 92392->92375 92392->92390 92392->92391 92400 6c8a65bc _Yarn _strlen 92392->92400 92393->92400 92394->92400 92395 6ca15560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 92395->92455 92396 6c8a9bbd GetCurrentProcess TerminateProcess 92396->92388 92397 6c8b63b2 92466 6c8915e0 18 API calls std::ios_base::_Ios_base_dtor 92397->92466 92399 6c8b64f8 92400->92397 92401 6c8a6989 92400->92401 92402 6c8a6970 92400->92402 92405 6c8a6920 _Yarn 92400->92405 92404 6ca16fb3 std::_Facet_Register 4 API calls 92401->92404 92403 6ca16fb3 std::_Facet_Register 4 API calls 92402->92403 92403->92405 92404->92405 92406 6ca15ed0 104 API calls 92405->92406 92409 6c8a69d6 std::ios_base::_Ios_base_dtor _strlen 92406->92409 92407 6c8af243 CreateFileA 92424 6c8af2a7 92407->92424 92408->92407 92409->92375 92410 6c8a6dbb 92409->92410 92411 6c8a6dd2 92409->92411 92423 6c8a6d69 _Yarn _strlen 92409->92423 92413 6ca16fb3 std::_Facet_Register 4 API calls 92410->92413 92414 6ca16fb3 std::_Facet_Register 4 API calls 92411->92414 92412 6c8b02ca 92413->92423 92414->92423 92415 6ca15ed0 104 API calls 92415->92455 92416 6c8a7440 92419 6ca16fb3 std::_Facet_Register 4 API calls 92416->92419 92417 6c8a7427 92418 6ca16fb3 std::_Facet_Register 4 API calls 92417->92418 92420 6c8a73da _Yarn 92418->92420 92419->92420 92421 6ca15ed0 104 API calls 92420->92421 92425 6c8a748d std::ios_base::_Ios_base_dtor _strlen 92421->92425 92422 6c8b02ac GetCurrentProcess TerminateProcess 92422->92412 92423->92397 92423->92416 92423->92417 92423->92420 92424->92412 92424->92422 92425->92375 92426 6c8a79a8 92425->92426 92427 6c8a7991 92425->92427 92433 6c8a7940 _Yarn _strlen 92425->92433 92430 6ca16fb3 std::_Facet_Register 4 API calls 92426->92430 92429 6ca16fb3 std::_Facet_Register 4 API calls 92427->92429 92428 6ca16fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 92428->92455 92429->92433 92430->92433 92431 6c8a7dc9 92434 6ca16fb3 std::_Facet_Register 4 API calls 92431->92434 92432 6c8a7de2 92435 6ca16fb3 std::_Facet_Register 4 API calls 92432->92435 92433->92397 92433->92431 92433->92432 92436 6c8a7d7c _Yarn 92433->92436 92434->92436 92435->92436 92437 6ca15ed0 104 API calls 92436->92437 92438 6c8a7e2f std::ios_base::_Ios_base_dtor _strlen 92437->92438 92438->92375 92439 6c8a85a8 92438->92439 92440 6c8a85bf 92438->92440 92448 6c8a8556 _Yarn _strlen 92438->92448 92441 6ca16fb3 std::_Facet_Register 4 API calls 92439->92441 92442 6ca16fb3 std::_Facet_Register 4 API calls 92440->92442 92441->92448 92442->92448 92443 6c8a896a 92445 6ca16fb3 std::_Facet_Register 4 API calls 92443->92445 92444 6c8a8983 92446 6ca16fb3 std::_Facet_Register 4 API calls 92444->92446 92447 6c8a891d _Yarn 92445->92447 92446->92447 92449 6ca15ed0 104 API calls 92447->92449 92448->92397 92448->92443 92448->92444 92448->92447 92450 6c8a89d0 std::ios_base::_Ios_base_dtor _strlen 92449->92450 92450->92375 92451 6c8a8f1f 92450->92451 92452 6c8a8f36 92450->92452 92456 6c8a8ecd _Yarn _strlen 92450->92456 92453 6ca16fb3 std::_Facet_Register 4 API calls 92451->92453 92454 6ca16fb3 std::_Facet_Register 4 API calls 92452->92454 92453->92456 92454->92456 92455->92375 92455->92388 92455->92395 92455->92396 92455->92397 92455->92415 92455->92428 92456->92397 92457 6c8a936d 92456->92457 92458 6c8a9354 92456->92458 92461 6c8a9307 _Yarn 92456->92461 92460 6ca16fb3 std::_Facet_Register 4 API calls 92457->92460 92459 6ca16fb3 std::_Facet_Register 4 API calls 92458->92459 92459->92461 92460->92461 92462 6ca15ed0 104 API calls 92461->92462 92464 6c8a93ba std::ios_base::_Ios_base_dtor 92462->92464 92463 6ca15560 4 API calls 92463->92388 92464->92375 92464->92463 92466->92399 92467 6ca1f4af 92468 6ca1f4bb __wsopen_s 92467->92468 92469 6ca1f4c2 GetLastError ExitThread 92468->92469 92470 6ca1f4cf 92468->92470 92471 6ca24f22 __Getctype 37 API calls 92470->92471 92472 6ca1f4d4 92471->92472 92479 6ca2a2d6 92472->92479 92475 6ca1f4eb 92485 6ca1f41a 16 API calls 2 library calls 92475->92485 92478 6ca1f50d 92480 6ca1f4df 92479->92480 92481 6ca2a2e8 GetPEB 92479->92481 92480->92475 92484 6ca272df 5 API calls std::_Lockit::_Lockit 92480->92484 92481->92480 92482 6ca2a2fb 92481->92482 92486 6ca27388 5 API calls std::_Lockit::_Lockit 92482->92486 92484->92475 92485->92478 92486->92480

                              Executed Functions

                              Function 6C894754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: ca0d085c4991a6f3737770e9e45dc0b83a21e458a53cb5841399ab177a826d54
                              • Instruction ID: 3494cfa2fb409162cbcd1a1b885793b76c4371bdde3bb1e4c522ff0611328d33
                              • Opcode Fuzzy Hash: ca0d085c4991a6f3737770e9e45dc0b83a21e458a53cb5841399ab177a826d54
                              • Instruction Fuzzy Hash: 1474F471644B028FC738CF2CC9D0695B7E2FF95318B198E6DC0AA8BA55E774B54ACB40
                              Function 6C8A4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: 990d29d4579a355322ffdac944cbb55dd1f3592c48308e9c6a8a9f07401d345c
                              • Instruction ID: e70e3aa3b691be93b4b5452eaaf4981228759e5f834a7ec94c39a0628e1d96d9
                              • Opcode Fuzzy Hash: 990d29d4579a355322ffdac944cbb55dd1f3592c48308e9c6a8a9f07401d345c
                              • Instruction Fuzzy Hash: EC340471644B018FC738CF68C9D0A96B7E3EF95314B198E2DC0A68BA55EB74B54BCB40
                              Function 6CA157B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6ca157b0-6ca157e5 CreateToolhelp32Snapshot 7678 6ca15810-6ca15819 7677->7678 7679 6ca15850-6ca15855 7678->7679 7680 6ca1581b-6ca15820 7678->7680 7683 6ca158e7-6ca15911 call 6ca23175 7679->7683 7684 6ca1585b-6ca15860 7679->7684 7681 6ca15822-6ca15827 7680->7681 7682 6ca15885-6ca1588a 7680->7682 7688 6ca158a4-6ca158cd call 6ca1be90 Process32FirstW 7681->7688 7689 6ca15829-6ca1582e 7681->7689 7685 6ca15890-6ca158a2 Process32NextW 7682->7685 7686 6ca15916-6ca1591b 7682->7686 7683->7678 7690 6ca15862-6ca15867 7684->7690 7691 6ca157e7-6ca15802 CloseHandle 7684->7691 7693 6ca158d2-6ca158e2 7685->7693 7686->7678 7696 6ca15921-6ca1592f 7686->7696 7688->7693 7689->7678 7697 6ca15830-6ca15841 7689->7697 7690->7678 7692 6ca15869-6ca15883 7690->7692 7691->7678 7692->7678 7693->7678 7697->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA157BE
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: a817b3afc9a3e9a149d48303225bf9fe7e6880ad5b1186bd4fb733fbc154e832
                              • Instruction ID: 8eece5038f556baf84fab03d03d4aeeef312b0921024e8839a6cd262312e88bb
                              • Opcode Fuzzy Hash: a817b3afc9a3e9a149d48303225bf9fe7e6880ad5b1186bd4fb733fbc154e832
                              • Instruction Fuzzy Hash: C231497460C300EFD7109F29C888B0ABBF4AF95758F544D2EE498C7BA0D77198899B92
                              Function 6C893886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c893886-6c89388e 7822 6c893970-6c89397d 7821->7822 7823 6c893894-6c893896 7821->7823 7825 6c89397f-6c893989 7822->7825 7826 6c8939f1-6c8939f8 7822->7826 7823->7822 7824 6c89389c-6c8938b9 7823->7824 7830 6c8938c0-6c8938c1 7824->7830 7825->7824 7827 6c89398f-6c893994 7825->7827 7828 6c8939fe-6c893a03 7826->7828 7829 6c893ab5-6c893aba 7826->7829 7831 6c89399a-6c89399f 7827->7831 7832 6c893b16-6c893b18 7827->7832 7833 6c893a09-6c893a2f 7828->7833 7834 6c8938d2-6c8938d4 7828->7834 7829->7824 7836 6c893ac0-6c893ac7 7829->7836 7835 6c89395e 7830->7835 7837 6c89383b-6c893855 call 6c9e19e0 call 6c9e19f0 7831->7837 7838 6c8939a5-6c8939bf 7831->7838 7832->7830 7839 6c8938f8-6c893955 7833->7839 7840 6c893a35-6c893a3a 7833->7840 7841 6c893957-6c89395c 7834->7841 7842 6c893960-6c893964 7835->7842 7836->7830 7843 6c893acd-6c893ad6 7836->7843 7849 6c893860-6c893885 7837->7849 7844 6c893a5a-6c893a5d 7838->7844 7839->7841 7845 6c893b1d-6c893b22 7840->7845 7846 6c893a40-6c893a57 7840->7846 7841->7835 7848 6c89396a 7842->7848 7842->7849 7843->7832 7850 6c893ad8-6c893aeb 7843->7850 7854 6c893aa9-6c893ab0 7844->7854 7852 6c893b49-6c893b50 7845->7852 7853 6c893b24-6c893b44 7845->7853 7846->7844 7856 6c893ba1-6c893bb6 7848->7856 7849->7821 7850->7839 7857 6c893af1-6c893af8 7850->7857 7852->7830 7862 6c893b56-6c893b5d 7852->7862 7853->7854 7854->7842 7863 6c893bc0-6c893bda call 6c9e19e0 call 6c9e19f0 7856->7863 7858 6c893afa-6c893aff 7857->7858 7859 6c893b62-6c893b85 7857->7859 7858->7841 7859->7839 7866 6c893b8b 7859->7866 7862->7842 7872 6c893be0-6c893bfe 7863->7872 7866->7856 7875 6c893e7b 7872->7875 7876 6c893c04-6c893c11 7872->7876 7879 6c893e81-6c893ee0 call 6c893750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6c893ce0-6c893cea 7876->7877 7878 6c893c17-6c893c20 7876->7878 7882 6c893d3a-6c893d3c 7877->7882 7883 6c893cec-6c893d0c 7877->7883 7880 6c893dc5 7878->7880 7881 6c893c26-6c893c2d 7878->7881 7898 6c893eea-6c893f04 call 6c9e19e0 call 6c9e19f0 7879->7898 7890 6c893dc6 7880->7890 7885 6c893dc3 7881->7885 7886 6c893c33-6c893c3a 7881->7886 7888 6c893d3e-6c893d45 7882->7888 7889 6c893d70-6c893d8d 7882->7889 7887 6c893d90-6c893d95 7883->7887 7885->7880 7892 6c893c40-6c893c5b 7886->7892 7893 6c893e26-6c893e2b 7886->7893 7896 6c893dba-6c893dc1 7887->7896 7897 6c893d97-6c893db8 7887->7897 7895 6c893d50-6c893d57 7888->7895 7889->7887 7894 6c893dc8-6c893dcc 7890->7894 7901 6c893e1b-6c893e24 7892->7901 7902 6c893c7b-6c893cd0 7893->7902 7903 6c893e31 7893->7903 7894->7872 7904 6c893dd2 7894->7904 7895->7890 7896->7885 7900 6c893dd7-6c893ddc 7896->7900 7897->7880 7915 6c893f75-6c893fa1 7898->7915 7906 6c893dde-6c893e17 7900->7906 7907 6c893e36-6c893e3d 7900->7907 7901->7894 7908 6c893e76-6c893e79 7901->7908 7902->7895 7903->7863 7904->7908 7906->7901 7911 6c893e5c-6c893e5f 7907->7911 7912 6c893e3f-6c893e5a 7907->7912 7908->7879 7911->7902 7914 6c893e65-6c893e69 7911->7914 7912->7901 7914->7894 7914->7908 7919 6c894020-6c894026 7915->7919 7920 6c893fa3-6c893fa8 7915->7920 7921 6c89402c-6c89403c 7919->7921 7922 6c893f06-6c893f35 7919->7922 7923 6c89407c-6c894081 7920->7923 7924 6c893fae-6c893fcf 7920->7924 7925 6c89403e-6c894058 7921->7925 7926 6c8940b3-6c8940b8 7921->7926 7929 6c893f38-6c893f61 7922->7929 7927 6c8940aa-6c8940ae 7923->7927 7928 6c894083-6c89408a 7923->7928 7924->7927 7930 6c89405a-6c894063 7925->7930 7926->7924 7932 6c8940be-6c8940c9 7926->7932 7933 6c893f6b-6c893f6f 7927->7933 7928->7929 7931 6c894090 7928->7931 7934 6c893f64-6c893f67 7929->7934 7936 6c894069-6c89406c 7930->7936 7937 6c8940f5-6c89413f 7930->7937 7931->7898 7938 6c8940a7 7931->7938 7932->7927 7939 6c8940cb-6c8940d4 7932->7939 7933->7915 7935 6c893f69 7934->7935 7935->7933 7940 6c894072-6c894077 7936->7940 7941 6c894144-6c89414b 7936->7941 7937->7935 7938->7927 7939->7938 7942 6c8940d6-6c8940f0 7939->7942 7940->7934 7941->7933 7942->7930
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 956a12b2c3d8e0ba5f3f73c207db87c557055f787d3bd8663ed81c3c58ebff50
                              • Instruction ID: e195d6eff00cbe4a1cbb9e4174da978a5aaf383127c5c905e1e04b59338fb4be
                              • Opcode Fuzzy Hash: 956a12b2c3d8e0ba5f3f73c207db87c557055f787d3bd8663ed81c3c58ebff50
                              • Instruction Fuzzy Hash: E832D132245B018FC334CF2CC990696B7E3EFD53187698E6CC0AA5BA55D775B84ACB50
                              Function 6C893A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c893a6a-6c893a85 7970 6c893a87-6c893aa7 7969->7970 7971 6c893aa9-6c893ab0 7970->7971 7972 6c893960-6c893964 7971->7972 7973 6c89396a 7972->7973 7974 6c893860-6c89388e 7972->7974 7976 6c893ba1-6c893bb6 7973->7976 7983 6c893970-6c89397d 7974->7983 7984 6c893894-6c893896 7974->7984 7978 6c893bc0-6c893bda call 6c9e19e0 call 6c9e19f0 7976->7978 7994 6c893be0-6c893bfe 7978->7994 7988 6c89397f-6c893989 7983->7988 7989 6c8939f1-6c8939f8 7983->7989 7984->7983 7986 6c89389c-6c8938b9 7984->7986 7993 6c8938c0-6c8938c1 7986->7993 7988->7986 7990 6c89398f-6c893994 7988->7990 7991 6c8939fe-6c893a03 7989->7991 7992 6c893ab5-6c893aba 7989->7992 7996 6c89399a-6c89399f 7990->7996 7997 6c893b16-6c893b18 7990->7997 7998 6c893a09-6c893a2f 7991->7998 7999 6c8938d2-6c8938d4 7991->7999 7992->7986 8001 6c893ac0-6c893ac7 7992->8001 8000 6c89395e 7993->8000 8009 6c893e7b 7994->8009 8010 6c893c04-6c893c11 7994->8010 8003 6c89383b-6c893855 call 6c9e19e0 call 6c9e19f0 7996->8003 8004 6c8939a5-6c8939bf 7996->8004 7997->7993 8005 6c8938f8-6c893955 7998->8005 8006 6c893a35-6c893a3a 7998->8006 8007 6c893957-6c89395c 7999->8007 8000->7972 8001->7993 8008 6c893acd-6c893ad6 8001->8008 8003->7974 8011 6c893a5a-6c893a5d 8004->8011 8005->8007 8012 6c893b1d-6c893b22 8006->8012 8013 6c893a40-6c893a57 8006->8013 8007->8000 8008->7997 8015 6c893ad8-6c893aeb 8008->8015 8020 6c893e81-6c893ee0 call 6c893750 GetCurrentThread NtSetInformationThread 8009->8020 8016 6c893ce0-6c893cea 8010->8016 8017 6c893c17-6c893c20 8010->8017 8011->7971 8018 6c893b49-6c893b50 8012->8018 8019 6c893b24-6c893b44 8012->8019 8013->8011 8015->8005 8022 6c893af1-6c893af8 8015->8022 8028 6c893d3a-6c893d3c 8016->8028 8029 6c893cec-6c893d0c 8016->8029 8025 6c893dc5 8017->8025 8026 6c893c26-6c893c2d 8017->8026 8018->7993 8027 6c893b56-6c893b5d 8018->8027 8019->7970 8047 6c893eea-6c893f04 call 6c9e19e0 call 6c9e19f0 8020->8047 8023 6c893afa-6c893aff 8022->8023 8024 6c893b62-6c893b85 8022->8024 8023->8007 8024->8005 8034 6c893b8b 8024->8034 8038 6c893dc6 8025->8038 8032 6c893dc3 8026->8032 8033 6c893c33-6c893c3a 8026->8033 8027->7972 8036 6c893d3e-6c893d45 8028->8036 8037 6c893d70-6c893d8d 8028->8037 8035 6c893d90-6c893d95 8029->8035 8032->8025 8041 6c893c40-6c893c5b 8033->8041 8042 6c893e26-6c893e2b 8033->8042 8034->7976 8045 6c893dba-6c893dc1 8035->8045 8046 6c893d97-6c893db8 8035->8046 8044 6c893d50-6c893d57 8036->8044 8037->8035 8043 6c893dc8-6c893dcc 8038->8043 8050 6c893e1b-6c893e24 8041->8050 8051 6c893c7b-6c893cd0 8042->8051 8052 6c893e31 8042->8052 8043->7994 8053 6c893dd2 8043->8053 8044->8038 8045->8032 8049 6c893dd7-6c893ddc 8045->8049 8046->8025 8064 6c893f75-6c893fa1 8047->8064 8055 6c893dde-6c893e17 8049->8055 8056 6c893e36-6c893e3d 8049->8056 8050->8043 8057 6c893e76-6c893e79 8050->8057 8051->8044 8052->7978 8053->8057 8055->8050 8060 6c893e5c-6c893e5f 8056->8060 8061 6c893e3f-6c893e5a 8056->8061 8057->8020 8060->8051 8063 6c893e65-6c893e69 8060->8063 8061->8050 8063->8043 8063->8057 8068 6c894020-6c894026 8064->8068 8069 6c893fa3-6c893fa8 8064->8069 8070 6c89402c-6c89403c 8068->8070 8071 6c893f06-6c893f35 8068->8071 8072 6c89407c-6c894081 8069->8072 8073 6c893fae-6c893fcf 8069->8073 8074 6c89403e-6c894058 8070->8074 8075 6c8940b3-6c8940b8 8070->8075 8078 6c893f38-6c893f61 8071->8078 8076 6c8940aa-6c8940ae 8072->8076 8077 6c894083-6c89408a 8072->8077 8073->8076 8079 6c89405a-6c894063 8074->8079 8075->8073 8081 6c8940be-6c8940c9 8075->8081 8082 6c893f6b-6c893f6f 8076->8082 8077->8078 8080 6c894090 8077->8080 8083 6c893f64-6c893f67 8078->8083 8085 6c894069-6c89406c 8079->8085 8086 6c8940f5-6c89413f 8079->8086 8080->8047 8087 6c8940a7 8080->8087 8081->8076 8088 6c8940cb-6c8940d4 8081->8088 8082->8064 8084 6c893f69 8083->8084 8084->8082 8089 6c894072-6c894077 8085->8089 8090 6c894144-6c89414b 8085->8090 8086->8084 8087->8076 8088->8087 8091 6c8940d6-6c8940f0 8088->8091 8089->8083 8090->8082 8091->8079
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: d5ac9874b2299f9e0a407f448d6e7d17ed5eda0c09b3220b3e0f694c0574f2fd
                              • Instruction ID: b545df78514fff7317abd1d23250683ac715e60dd568b1c901a29fae0dc960f0
                              • Opcode Fuzzy Hash: d5ac9874b2299f9e0a407f448d6e7d17ed5eda0c09b3220b3e0f694c0574f2fd
                              • Instruction Fuzzy Hash: B151CE31144B018FC3318F28C980795B7E3BFE6314F698E5DC0EA5BA95DB74B94A8B41
                              Function 6C8939CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: ad3e2c8520bd1bb0c62d1bdb35f151c64eb6373c8506d885b2a4fb6d4acf2da2
                              • Instruction ID: 006874be5387cea6dfe3e43be4c87fdc305fc6b49e4833d36302a267a6d6a285
                              • Opcode Fuzzy Hash: ad3e2c8520bd1bb0c62d1bdb35f151c64eb6373c8506d885b2a4fb6d4acf2da2
                              • Instruction Fuzzy Hash: EB519D31104B018FC3308F2CC980799B7E3BF96318F698E5DC0EA5BA95DB71B94A8B51
                              Function 6C893D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C893E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 736d7e8d8c8a550a0f71baadaea46e3f9f1c8c77d72b6cb48b5c37309dadb7ee
                              • Instruction ID: bc4236605763a0483222749af7a62e8d5fded25fc2b7319e4c7d024696f4bc92
                              • Opcode Fuzzy Hash: 736d7e8d8c8a550a0f71baadaea46e3f9f1c8c77d72b6cb48b5c37309dadb7ee
                              • Instruction Fuzzy Hash: A831E131245B058FC330CF28C9947C6B7B3AFE6318F298E1DC0AA5BA91DB7478099B51
                              Function 6C893D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C893E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 4e61c405badd21c0ab12b495ad637ecf64cb54b87620dd4a199524451498b6a5
                              • Instruction ID: e5b6be776daf6f5cc1b2a5fb7ef41585933ae3e460846cfa4be4a22697f825a1
                              • Opcode Fuzzy Hash: 4e61c405badd21c0ab12b495ad637ecf64cb54b87620dd4a199524451498b6a5
                              • Instruction Fuzzy Hash: 1D31CF31104B058FC734CF2CC990796B7B6AF96308F694E1DC0EA5BA95DB71B845CB51
                              Function 6C893C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C893E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C893EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: f00f4cb899cc0dc880950026e5cac1be9bfa2b2dd4b0cfb8940c713f2554eb8f
                              • Instruction ID: a8ca2bce724585aaf7c02f18060458d2abdaa45301cd88f3c47e7b418d8bf05a
                              • Opcode Fuzzy Hash: f00f4cb899cc0dc880950026e5cac1be9bfa2b2dd4b0cfb8940c713f2554eb8f
                              • Instruction Fuzzy Hash: C421F430108B058FD334CF2CC99079A77B6AF96308F284E1DD0BA8BA91DB74A8048B51
                              Function 6CA15690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA156A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: f28a924434a47631c10acf6695aecac1f4ff3117edb6ad63d23901b017953bb7
                              • Instruction ID: 5acd0326232ba320787533a16485df225ce649b23860bfa4752e209e9930de96
                              • Opcode Fuzzy Hash: f28a924434a47631c10acf6695aecac1f4ff3117edb6ad63d23901b017953bb7
                              • Instruction Fuzzy Hash: 9C312BB460C341EFC700CF28C555A4ABBF0AB89768F588C5AF899C7761C371C8849B66
                              Function 6CA0B430 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6CA0B44C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 51489eb1f9e8ec1fde4dce70a2388e0f37f4a8799c2917a4a7f3603c7f1a3398
                              • Instruction ID: c6a4ebf31736635e59f6edbbedc317a17b81495884b454e3d97e00f071f0baee
                              • Opcode Fuzzy Hash: 51489eb1f9e8ec1fde4dce70a2388e0f37f4a8799c2917a4a7f3603c7f1a3398
                              • Instruction Fuzzy Hash: FF114874608351AFD700CF29E68450EBBE4BF86358F188E59F4A9CBB91D331CD888B02
                              Function 6C9EAFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C9EB117
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: bf63e8d65685a1b613a446cbf6825972dff970075c6085963780c8173e1fafcf
                              • Instruction ID: 93c3f8574350eea35d7a0c8c64ee9ff1d86e720aa9e747c3a0752d7738d88a87
                              • Opcode Fuzzy Hash: bf63e8d65685a1b613a446cbf6825972dff970075c6085963780c8173e1fafcf
                              • Instruction Fuzzy Hash: D762467060D381CFC725CF28C490A5ABBF1AFE9314F248D1EE8A9CB755D635E8458B4A
                              Function 6CA2D043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6ca2d043-6ca2d053 6825 6ca2d055-6ca2d068 call 6ca1ff4f call 6ca1ff3c 6824->6825 6826 6ca2d06d-6ca2d06f 6824->6826 6840 6ca2d3ec 6825->6840 6827 6ca2d3d4-6ca2d3e1 call 6ca1ff4f call 6ca1ff3c 6826->6827 6828 6ca2d075-6ca2d07b 6826->6828 6846 6ca2d3e7 call 6ca20690 6827->6846 6828->6827 6831 6ca2d081-6ca2d0a7 6828->6831 6831->6827 6835 6ca2d0ad-6ca2d0b6 6831->6835 6838 6ca2d0d0-6ca2d0d2 6835->6838 6839 6ca2d0b8-6ca2d0cb call 6ca1ff4f call 6ca1ff3c 6835->6839 6843 6ca2d3d0-6ca2d3d2 6838->6843 6844 6ca2d0d8-6ca2d0db 6838->6844 6839->6846 6845 6ca2d3ef-6ca2d3f2 6840->6845 6843->6845 6844->6843 6848 6ca2d0e1-6ca2d0e5 6844->6848 6846->6840 6848->6839 6851 6ca2d0e7-6ca2d0fe 6848->6851 6853 6ca2d100-6ca2d103 6851->6853 6854 6ca2d14f-6ca2d155 6851->6854 6855 6ca2d113-6ca2d119 6853->6855 6856 6ca2d105-6ca2d10e 6853->6856 6857 6ca2d157-6ca2d161 6854->6857 6858 6ca2d11b-6ca2d132 call 6ca1ff4f call 6ca1ff3c call 6ca20690 6854->6858 6855->6858 6861 6ca2d137-6ca2d14a 6855->6861 6859 6ca2d1d3-6ca2d1e3 6856->6859 6862 6ca2d163-6ca2d165 6857->6862 6863 6ca2d168-6ca2d186 call 6ca24d65 call 6ca24d2b * 2 6857->6863 6888 6ca2d307 6858->6888 6865 6ca2d2a8-6ca2d2b1 call 6ca31f55 6859->6865 6866 6ca2d1e9-6ca2d1f5 6859->6866 6861->6859 6862->6863 6894 6ca2d1a3-6ca2d1cc call 6ca2b1d9 6863->6894 6895 6ca2d188-6ca2d19e call 6ca1ff3c call 6ca1ff4f 6863->6895 6879 6ca2d2b3-6ca2d2c5 6865->6879 6880 6ca2d324 6865->6880 6866->6865 6871 6ca2d1fb-6ca2d1fd 6866->6871 6871->6865 6875 6ca2d203-6ca2d227 6871->6875 6875->6865 6877 6ca2d229-6ca2d23f 6875->6877 6877->6865 6881 6ca2d241-6ca2d243 6877->6881 6879->6880 6885 6ca2d2c7-6ca2d2d6 GetConsoleMode 6879->6885 6883 6ca2d328-6ca2d340 ReadFile 6880->6883 6881->6865 6887 6ca2d245-6ca2d26b 6881->6887 6889 6ca2d342-6ca2d348 6883->6889 6890 6ca2d39c-6ca2d3a7 GetLastError 6883->6890 6885->6880 6891 6ca2d2d8-6ca2d2dc 6885->6891 6887->6865 6892 6ca2d26d-6ca2d283 6887->6892 6893 6ca2d30a-6ca2d314 call 6ca24d2b 6888->6893 6889->6890 6896 6ca2d34a 6889->6896 6897 6ca2d3c0-6ca2d3c3 6890->6897 6898 6ca2d3a9-6ca2d3bb call 6ca1ff3c call 6ca1ff4f 6890->6898 6891->6883 6899 6ca2d2de-6ca2d2f8 ReadConsoleW 6891->6899 6892->6865 6902 6ca2d285-6ca2d287 6892->6902 6893->6845 6894->6859 6895->6888 6905 6ca2d34d-6ca2d35f 6896->6905 6908 6ca2d300-6ca2d306 call 6ca1ff62 6897->6908 6909 6ca2d3c9-6ca2d3cb 6897->6909 6898->6888 6906 6ca2d2fa GetLastError 6899->6906 6907 6ca2d319-6ca2d322 6899->6907 6902->6865 6910 6ca2d289-6ca2d2a3 6902->6910 6905->6893 6914 6ca2d361-6ca2d365 6905->6914 6906->6908 6907->6905 6908->6888 6909->6893 6910->6865 6920 6ca2d367-6ca2d377 call 6ca2d46e 6914->6920 6921 6ca2d37e-6ca2d389 6914->6921 6932 6ca2d37a-6ca2d37c 6920->6932 6922 6ca2d395-6ca2d39a call 6ca2d726 6921->6922 6923 6ca2d38b call 6ca2d3f3 6921->6923 6930 6ca2d390-6ca2d393 6922->6930 6923->6930 6930->6932 6932->6893
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 69ad27a41acd203d047a48cb01472d75c7df88e22e3d0aa8fdfa9190001889e5
                              • Instruction ID: bb6f23ff1bab17d101665587f247dbb332262b6efd1b76b52ffd1e31dafb1c43
                              • Opcode Fuzzy Hash: 69ad27a41acd203d047a48cb01472d75c7df88e22e3d0aa8fdfa9190001889e5
                              • Instruction Fuzzy Hash: 93C10C70E042599FDF05CF99C980B9DBBB1EF4A318F1C4159E4149BB82C778D989CB64
                              Function 6CA345DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6ca345dc-6ca3460c call 6ca34a5c 6936 6ca34627-6ca34633 call 6ca31b7c 6933->6936 6937 6ca3460e-6ca34619 call 6ca1ff4f 6933->6937 6942 6ca34635-6ca3464a call 6ca1ff4f call 6ca1ff3c 6936->6942 6943 6ca3464c-6ca34695 call 6ca349c7 6936->6943 6944 6ca3461b-6ca34622 call 6ca1ff3c 6937->6944 6942->6944 6953 6ca34702-6ca3470b GetFileType 6943->6953 6954 6ca34697-6ca346a0 6943->6954 6951 6ca34901-6ca34905 6944->6951 6955 6ca34754-6ca34757 6953->6955 6956 6ca3470d-6ca3473e GetLastError call 6ca1ff62 CloseHandle 6953->6956 6958 6ca346a2-6ca346a6 6954->6958 6959 6ca346d7-6ca346fd GetLastError call 6ca1ff62 6954->6959 6962 6ca34760-6ca34766 6955->6962 6963 6ca34759-6ca3475e 6955->6963 6956->6944 6970 6ca34744-6ca3474f call 6ca1ff3c 6956->6970 6958->6959 6964 6ca346a8-6ca346d5 call 6ca349c7 6958->6964 6959->6944 6967 6ca3476a-6ca347b8 call 6ca31d20 6962->6967 6968 6ca34768 6962->6968 6963->6967 6964->6953 6964->6959 6975 6ca347d7-6ca347ff call 6ca34c80 6967->6975 6976 6ca347ba-6ca347c6 call 6ca34bd6 6967->6976 6968->6967 6970->6944 6983 6ca34801-6ca34802 6975->6983 6984 6ca34804-6ca34845 6975->6984 6976->6975 6982 6ca347c8 6976->6982 6985 6ca347ca-6ca347d2 call 6ca2be95 6982->6985 6983->6985 6986 6ca34847-6ca3484b 6984->6986 6987 6ca34866-6ca34874 6984->6987 6985->6951 6986->6987 6991 6ca3484d-6ca34861 6986->6991 6988 6ca3487a-6ca3487e 6987->6988 6989 6ca348ff 6987->6989 6988->6989 6992 6ca34880-6ca348b3 CloseHandle call 6ca349c7 6988->6992 6989->6951 6991->6987 6996 6ca348e7-6ca348fb 6992->6996 6997 6ca348b5-6ca348e1 GetLastError call 6ca1ff62 call 6ca31c8f 6992->6997 6996->6989 6997->6996
                              APIs
                                • Part of subcall function 6CA349C7: CreateFileW.KERNEL32(00000000,00000000,?,6CA34685,?,?,00000000,?,6CA34685,00000000,0000000C), ref: 6CA349E4
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA346F0
                              • __dosmaperr.LIBCMT ref: 6CA346F7
                              • GetFileType.KERNEL32(00000000), ref: 6CA34703
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA3470D
                              • __dosmaperr.LIBCMT ref: 6CA34716
                              • CloseHandle.KERNEL32(00000000), ref: 6CA34736
                              • CloseHandle.KERNEL32(6CA2B640), ref: 6CA34883
                              • GetLastError.KERNEL32 ref: 6CA348B5
                              • __dosmaperr.LIBCMT ref: 6CA348BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: b657b1a30947dcb33741280076193435e204e9f0d01dcdcfcdb8836c41790131
                              • Instruction ID: bdb16c94ad0fe908a1a2b807bd8e10b481a2102dc4cc2f6ec9ee4bb79bb5c149
                              • Opcode Fuzzy Hash: b657b1a30947dcb33741280076193435e204e9f0d01dcdcfcdb8836c41790131
                              • Instruction Fuzzy Hash: 46A13732A042598FCF099F68DC617EE7FB1AB07328F18514DE815EB790C776889ACB51
                              Function 6C9EC750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c9ec750-6c9ec7a9 call 6ca170e0 7005 6c9ec7d0-6c9ec7d9 7002->7005 7006 6c9ec7db-6c9ec7e0 7005->7006 7007 6c9ec820-6c9ec825 7005->7007 7008 6c9ec7e2-6c9ec7e7 7006->7008 7009 6c9ec860-6c9ec865 7006->7009 7010 6c9ec827-6c9ec82c 7007->7010 7011 6c9ec8a0-6c9ec8a5 7007->7011 7016 6c9ec7ed-6c9ec7f2 7008->7016 7017 6c9ec8e2-6c9ec94f WriteFile 7008->7017 7012 6c9ec86b-6c9ec870 7009->7012 7013 6c9ec9a1-6c9ec9b8 WriteFile 7009->7013 7018 6c9ec977-6c9ec98b 7010->7018 7019 6c9ec832-6c9ec837 7010->7019 7014 6c9ec8ab-6c9ec8b0 7011->7014 7015 6c9ec9f9-6c9eca29 call 6ca1b910 7011->7015 7020 6c9ec876-6c9ec87b 7012->7020 7021 6c9ec9c2-6c9ec9ef call 6ca1be90 ReadFile 7012->7021 7013->7021 7023 6c9eca2e-6c9eca33 7014->7023 7024 6c9ec8b6-6c9ec8dd 7014->7024 7015->7005 7025 6c9ec7f8-6c9ec7fd 7016->7025 7026 6c9ec959-6c9ec96d WriteFile 7016->7026 7017->7026 7027 6c9ec98f-6c9ec99c 7018->7027 7028 6c9ec83d-6c9ec842 7019->7028 7029 6c9ec7ab-6c9ec7c0 7019->7029 7020->7005 7030 6c9ec881-6c9ec89b 7020->7030 7021->7015 7023->7005 7033 6c9eca39-6c9eca47 7023->7033 7031 6c9ec7c3-6c9ec7c8 7024->7031 7025->7005 7034 6c9ec7ff-6c9ec81a 7025->7034 7026->7018 7027->7005 7028->7005 7035 6c9ec844-6c9ec857 7028->7035 7029->7031 7030->7027 7031->7005 7034->7031 7035->7031
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: a2dc3fdd940eef04c965022b8b70dd68ed8cd683c262ca230f8c47a391d5ee7a
                              • Instruction ID: 76a5375b4dfc422dff15befe2b36bd20def64a034027060b44017b515c859ad6
                              • Opcode Fuzzy Hash: a2dc3fdd940eef04c965022b8b70dd68ed8cd683c262ca230f8c47a391d5ee7a
                              • Instruction Fuzzy Hash: 51715BB0208345AFD711DF19C480B9ABBF5BF9E708F10492EF499D7A51D772D8888B92
                              Function 6C9EBCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 15e5e20285371d940211921a84e8d1e24fae79a28e988136346b9e018fc3246b
                              • Instruction ID: 289cae669e8a827e08202df849e9cf622392e34684259a558814a9a2995656b2
                              • Opcode Fuzzy Hash: 15e5e20285371d940211921a84e8d1e24fae79a28e988136346b9e018fc3246b
                              • Instruction Fuzzy Hash: EE4276B46093468FC716DF18C08062ABBF1AFA9318F248D5EE5E987B21D734D885CB57
                              Function 6C894200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 2590e5e4ee8ff4831f6ac2520263a357b53f9e7f7dfba6b1f29be392909ebe06
                              • Instruction ID: aed40e3c51329e40f3a7d0f5ecb4730a0390fed7a9b93555021f029d6c5a7f5e
                              • Opcode Fuzzy Hash: 2590e5e4ee8ff4831f6ac2520263a357b53f9e7f7dfba6b1f29be392909ebe06
                              • Instruction Fuzzy Hash: 5803E131645B018FC738CF68C9D0696B7E2AFE53247198F6DC0AA4BA95DB74B44BCB40
                              Function 6CA15560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6ca15560-6ca155e7 CreateProcessA 7580 6ca1563a-6ca15643 7579->7580 7581 6ca15660-6ca1567b 7580->7581 7582 6ca15645-6ca1564a 7580->7582 7581->7580 7583 6ca155f0-6ca15632 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6ca1564c-6ca15651 7582->7584 7583->7580 7584->7580 7585 6ca15653-6ca15688 7584->7585
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 9a7c81b03c6608966382b527dc907f4ed4f9faa0c4c2a45d902de482288fdb39
                              • Instruction ID: 7fb1149018d9da61467611b66d5c5585b535c8b7caf0e71c61d7b9d300dacc89
                              • Opcode Fuzzy Hash: 9a7c81b03c6608966382b527dc907f4ed4f9faa0c4c2a45d902de482288fdb39
                              • Instruction Fuzzy Hash: C731E1B08093808FD740DF29D19876EBBF0AB9A318F445A1DF8E997650E7B495888F43
                              Function 6CA2C1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6ca2c1ce-6ca2c1ea 7588 6ca2c1f0-6ca2c1f2 7587->7588 7589 6ca2c3a9 7587->7589 7590 6ca2c214-6ca2c235 7588->7590 7591 6ca2c1f4-6ca2c207 call 6ca1ff4f call 6ca1ff3c call 6ca20690 7588->7591 7592 6ca2c3ab-6ca2c3af 7589->7592 7593 6ca2c237-6ca2c23a 7590->7593 7594 6ca2c23c-6ca2c242 7590->7594 7609 6ca2c20c-6ca2c20f 7591->7609 7593->7594 7596 6ca2c244-6ca2c249 7593->7596 7594->7591 7594->7596 7598 6ca2c25a-6ca2c26b call 6ca2c3b0 7596->7598 7599 6ca2c24b-6ca2c257 call 6ca2b1d9 7596->7599 7607 6ca2c2ac-6ca2c2be 7598->7607 7608 6ca2c26d-6ca2c26f 7598->7608 7599->7598 7610 6ca2c2c0-6ca2c2c9 7607->7610 7611 6ca2c305-6ca2c327 WriteFile 7607->7611 7612 6ca2c271-6ca2c279 7608->7612 7613 6ca2c296-6ca2c2a2 call 6ca2c421 7608->7613 7609->7592 7617 6ca2c2f5-6ca2c303 call 6ca2c833 7610->7617 7618 6ca2c2cb-6ca2c2ce 7610->7618 7614 6ca2c332 7611->7614 7615 6ca2c329-6ca2c32f GetLastError 7611->7615 7619 6ca2c33b-6ca2c33e 7612->7619 7620 6ca2c27f-6ca2c28c call 6ca2c7cb 7612->7620 7621 6ca2c2a7-6ca2c2aa 7613->7621 7622 6ca2c335-6ca2c33a 7614->7622 7615->7614 7617->7621 7624 6ca2c2d0-6ca2c2d3 7618->7624 7625 6ca2c2e5-6ca2c2f3 call 6ca2c9f7 7618->7625 7623 6ca2c341-6ca2c346 7619->7623 7628 6ca2c28f-6ca2c291 7620->7628 7621->7628 7622->7619 7629 6ca2c3a4-6ca2c3a7 7623->7629 7630 6ca2c348-6ca2c34d 7623->7630 7624->7623 7631 6ca2c2d5-6ca2c2e3 call 6ca2c90e 7624->7631 7625->7621 7628->7622 7629->7592 7635 6ca2c379-6ca2c385 7630->7635 7636 6ca2c34f-6ca2c354 7630->7636 7631->7621 7639 6ca2c387-6ca2c38a 7635->7639 7640 6ca2c38c-6ca2c39f call 6ca1ff3c call 6ca1ff4f 7635->7640 7641 6ca2c356-6ca2c368 call 6ca1ff3c call 6ca1ff4f 7636->7641 7642 6ca2c36d-6ca2c374 call 6ca1ff62 7636->7642 7639->7589 7639->7640 7640->7609 7641->7609 7642->7609
                              APIs
                                • Part of subcall function 6CA2C421: GetConsoleCP.KERNEL32(?,6CA2B640,?), ref: 6CA2C469
                              • WriteFile.KERNEL32(?,?,6CA34C5C,00000000,00000000,?,00000000,00000000,6CA36026,00000000,00000000,?,00000000,6CA2B640,6CA34C5C,00000000), ref: 6CA2C31F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA34C5C,6CA2B640,00000000,?,?,?,?,00000000,?), ref: 6CA2C329
                              • __dosmaperr.LIBCMT ref: 6CA2C36E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: f6824726208a80f49667f30c4350957717e436595ec43721330088f2e7fcddaa
                              • Instruction ID: 46b166ba2d8d3cea69535ea58080a397365706ecce011236bcc373a50d91a6ae
                              • Opcode Fuzzy Hash: f6824726208a80f49667f30c4350957717e436595ec43721330088f2e7fcddaa
                              • Instruction Fuzzy Hash: A451C371A0422AABFB00AFE4C940BDEB7B9FF4631CF1C0555E410A7A40D778D9898760
                              Function 6CA16100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6ca16100-6ca1610c 7655 6ca1614d 7654->7655 7656 6ca1610e-6ca16119 7654->7656 7659 6ca1614f-6ca161c7 7655->7659 7657 6ca1611b-6ca1612d 7656->7657 7658 6ca1612f-6ca1613c call 6c8e01f0 call 6ca21088 7656->7658 7657->7658 7667 6ca16141-6ca1614b 7658->7667 7661 6ca161f3-6ca161f9 7659->7661 7662 6ca161c9-6ca161f1 7659->7662 7662->7661 7664 6ca161fa-6ca162b9 call 6c8e2250 call 6c8e2340 call 6ca198e9 call 6c8de010 call 6ca175f8 7662->7664 7667->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA162A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 8fad64586faac2f489f4839e49057e4b738a7e3c52b37a137c783cbb76a234c4
                              • Instruction ID: 1362e49928c590da3357d58c0a24235a4aea5e277a9dec8d89f3bbeedb45b19b
                              • Opcode Fuzzy Hash: 8fad64586faac2f489f4839e49057e4b738a7e3c52b37a137c783cbb76a234c4
                              • Instruction Fuzzy Hash: B45142B1900B408FD725CF29C595B97BBF1FB48318F048A2DD8868BB91D775B949CB90
                              Function 6CA2BE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6ca2be95-6ca2bea9 call 6ca31b12 7702 6ca2beab-6ca2bead 7699->7702 7703 6ca2beaf-6ca2beb7 7699->7703 7704 6ca2befd-6ca2bf1d call 6ca31c8f 7702->7704 7705 6ca2bec2-6ca2bec5 7703->7705 7706 6ca2beb9-6ca2bec0 7703->7706 7716 6ca2bf2b 7704->7716 7717 6ca2bf1f-6ca2bf29 call 6ca1ff62 7704->7717 7708 6ca2bee3-6ca2bef3 call 6ca31b12 CloseHandle 7705->7708 7709 6ca2bec7-6ca2becb 7705->7709 7706->7705 7707 6ca2becd-6ca2bee1 call 6ca31b12 * 2 7706->7707 7707->7702 7707->7708 7708->7702 7720 6ca2bef5-6ca2befb GetLastError 7708->7720 7709->7707 7709->7708 7718 6ca2bf2d-6ca2bf30 7716->7718 7717->7718 7720->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA347CF), ref: 6CA2BEEB
                              • GetLastError.KERNEL32(?,00000000,?,6CA347CF), ref: 6CA2BEF5
                              • __dosmaperr.LIBCMT ref: 6CA2BF20
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 59ede03a7bb6fae64c36131adc2d25c8a01fe1bd6ac1d85f0c202f2b7c6ea9c2
                              • Instruction ID: e3a7e9165f591c3e1df89fffef38aabaa391032144241882cbbe2bfd0a3aae9a
                              • Opcode Fuzzy Hash: 59ede03a7bb6fae64c36131adc2d25c8a01fe1bd6ac1d85f0c202f2b7c6ea9c2
                              • Instruction Fuzzy Hash: AD01253370813007C3151A39B954BBE277D4B8673CF3E4359EA1AC7AC1DB69C4C94150
                              Function 6CA2110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6ca2110c-6ca21117 7945 6ca21119-6ca2112c call 6ca1ff3c call 6ca20690 7944->7945 7946 6ca2112e-6ca2113b 7944->7946 7956 6ca21180-6ca21182 7945->7956 7947 6ca21176-6ca2117f call 6ca2b3e5 7946->7947 7948 6ca2113d-6ca21152 call 6ca21229 call 6ca28cae call 6ca2a1d0 call 6ca2be08 7946->7948 7947->7956 7963 6ca21157-6ca2115c 7948->7963 7964 6ca21163-6ca21167 7963->7964 7965 6ca2115e-6ca21161 7963->7965 7964->7947 7966 6ca21169-6ca21175 call 6ca24d2b 7964->7966 7965->7947 7966->7947
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: e2cfbea3d30390e78646745a5bb9975cfd9c8fff21340fbe8d7e229a598725c8
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 85F086325026345AD7211A79DE00BDA32A89F42378F1D4719EA2492FD0DB7DD88EC7D5
                              Function 6CA15ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA16024
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA16064
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 4cc2d8ccba5df368377df418a38ca62d99157a515abc22c9010970d3f4c8ea17
                              • Instruction ID: d2be267f7048995ad98bb37b2206423b79d88e2b3a03b6d2de35b661d6b6153a
                              • Opcode Fuzzy Hash: 4cc2d8ccba5df368377df418a38ca62d99157a515abc22c9010970d3f4c8ea17
                              • Instruction Fuzzy Hash: 50514871105B00DBD725CF29C995BD6BBF4FB04718F448A1CE4AA8BBA1DB30B589CB81
                              Function 6CA1F4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6CA46DF0,0000000C), ref: 6CA1F4C2
                              • ExitThread.KERNEL32 ref: 6CA1F4C9
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 2d3c7878b4c47694da02e08d46d9b0a0b549f13d414139529ddb796353535f4c
                              • Instruction ID: d6634c64b1d766cdb4424ea621a311cd69ac15a90f46524bd1ce796943d24a42
                              • Opcode Fuzzy Hash: 2d3c7878b4c47694da02e08d46d9b0a0b549f13d414139529ddb796353535f4c
                              • Instruction Fuzzy Hash: CBF0C271A047059FDB04EFB1C909AAE3B74FF01318F298149F1069BB51CF399989CB60
                              Function 6CA2B4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: ececdad68bb674ba61c60fd9999acb37063308b3413f89f49771fc53c19f1d8c
                              • Instruction ID: 5a87687fdeafa654884b5c13dcbb269fb5f6f39b2a9cc228fe487946973e6326
                              • Opcode Fuzzy Hash: ececdad68bb674ba61c60fd9999acb37063308b3413f89f49771fc53c19f1d8c
                              • Instruction Fuzzy Hash: 9C112572A0420AABCF05CF59E941EDB7BF8EB48308B194569F809AB301D771E915CBA4
                              Function 6CA3456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: 51992e97e905526fcafb4327b5ae92a7fa3ea3472cdc69144d6bae7ee5b9d45b
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: A7014472C0116DAFCF019FA88D009EE7FB5BF08214F144165F918E2550E7318A64DB91
                              Function 6CA349C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6CA34685,?,?,00000000,?,6CA34685,00000000,0000000C), ref: 6CA349E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 788501688533200deb15a5215baffddfcf15d60a82895c2ffd0426059f58036d
                              • Instruction ID: 55bfc7f5b84ab7f76906dd939c33a39a0db28789c7db0205a80b844c9b492563
                              • Opcode Fuzzy Hash: 788501688533200deb15a5215baffddfcf15d60a82895c2ffd0426059f58036d
                              • Instruction Fuzzy Hash: 25D06C3210020EBBDF029E84DC06EDA3BAAFB48714F028000BA5896020C732E862AB90
                              Function 6C8E7CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: d8e65b340d9be446b882eebee484e1af1e368d3c22b92c4d356fd8447116948c
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6CAB589F Relevance: 13.8, APIs: 5, Strings: 2, Instructions: 1591COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: L$b
                              • API String ID: 3732870572-3566554212
                              • Opcode ID: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                              • Instruction ID: 1b7df1e793f188fc504fffb8193652ef9f6536a0f6e71bcc484ec00881573d58
                              • Opcode Fuzzy Hash: d9657c234f8b039fc43015c1601217ec1c14bdfa2872b48e6b05b85763b47a84
                              • Instruction Fuzzy Hash: 90E27A30D01299DFDB15CFA8CA94ADCBBB9AF09308F248199D449B7741DB306E89CB61
                              Function 6CA11DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: g)''
                              • API String ID: 4218353326-3487984327
                              • Opcode ID: 5d3ea140460012add49c63c9970fc7fbac9a7658269366200ad710c8c5039c11
                              • Instruction ID: 728139e0bddce4f5337f0c54b9ab055fe210b76e43b516928bcfe83623321713
                              • Opcode Fuzzy Hash: 5d3ea140460012add49c63c9970fc7fbac9a7658269366200ad710c8c5039c11
                              • Instruction Fuzzy Hash: AA63E071649B018FC728CF28C8D0A95B7F3AF9531871D8A6DC0E64BE59E774B58ACB40
                              Function 6CA162D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6CA162DA
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA162E6
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA162F4
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA1631B
                              • NtInitiatePowerAction.NTDLL ref: 6CA1632F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: a1168ea298e64c2b50e60ef639e5b3da6b5eab26686249ef872f19e0e438ba3f
                              • Instruction ID: fd2e17d600adde1dfa7d6403d57a0df93165538c692880b4182fce87bd6661a2
                              • Opcode Fuzzy Hash: a1168ea298e64c2b50e60ef639e5b3da6b5eab26686249ef872f19e0e438ba3f
                              • Instruction Fuzzy Hash: 9BF03071644300BFEA106F24DD0BB5A7BB8EB45709F014658F985A7191D7B069948FA2
                              Function 6C891950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: f08f02b1fdb55632af35fb530f364c6c834e66604e867334a83e81d374f8876a
                              • Instruction ID: ca28135c04e422ce78efe22e43e8e688e1e0c8a662061278141e7d4361474445
                              • Opcode Fuzzy Hash: f08f02b1fdb55632af35fb530f364c6c834e66604e867334a83e81d374f8876a
                              • Instruction Fuzzy Hash: A442337460D3828FCB25CF68C58066ABBE1ABCA354F144E2EE499CB761D334E845CB53
                              Function 6CA206F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CA207E9
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CA207F3
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CA20800
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID: _c$
                              • API String ID: 3906539128-1047311438
                              • Opcode ID: 201d925a21a725d9f857d7902d8581e65c0ede979a0ecce58a4868ce6b3de68a
                              • Instruction ID: 2e03265a5909070f78fff713a4fb3a328bfcf0aaa0c6d9881fd14235914ccc5a
                              • Opcode Fuzzy Hash: 201d925a21a725d9f857d7902d8581e65c0ede979a0ecce58a4868ce6b3de68a
                              • Instruction Fuzzy Hash: C631B37590132C9BCB21DF64D9887CDBBB4BF08714F5081EAE41CA7690EB749B858F45
                              Function 6CA9AEEF Relevance: 5.6, Strings: 2, Instructions: 3058COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $h%K
                              • API String ID: 0-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 1fee640d347ef1d66fa8a389e2e4d58ca6dc42413389f478a625f93b49f98512
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 9E538830D11258DFDB25CBA4CA95BEDBBF4AF09308F248198D449A7691DB30AEC9CF51
                              Function 6CAA84AC Relevance: 5.4, Strings: 3, Instructions: 1656COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 1$`)K$h)K
                              • API String ID: 0-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 7cd12148efe045a7a3507238a1fb4d5568d7c4a054fd9d9a19a4fa389894c220
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 62F28C70D01248DFDB11CFA8C988BDDBBB5AF49308F288499E449EB751DB719A86CF11
                              Function 6CA1F6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,6CA1F7A5,6CA1A1B9,00000003,00000000,6CA1A1B9,00000000), ref: 6CA1F70F
                              • TerminateProcess.KERNEL32(00000000,?,6CA1F7A5,6CA1A1B9,00000003,00000000,6CA1A1B9,00000000), ref: 6CA1F716
                              • ExitProcess.KERNEL32 ref: 6CA1F728
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: e1b5dc1a2d7d9f9f261a75c9883821087f5f17a0864f4ada3e2a28847fb09a2a
                              • Instruction ID: 87f9aa08535bd2dbfc964a14ec3e8f79655d906a480ac33c5ea283b5122d4ffc
                              • Opcode Fuzzy Hash: e1b5dc1a2d7d9f9f261a75c9883821087f5f17a0864f4ada3e2a28847fb09a2a
                              • Instruction Fuzzy Hash: 21E0B632108A88EFCF057F95DD48A893B79FF45249B198418F81586A21DB3ADDC6CB90
                              Function 6CAAC7F3 Relevance: 4.0, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $J
                              • API String ID: 0-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 3c8e056c721b21b48405f5b32910c9857e31df3067cc8c88d8479b8e07b28151
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: 1CE2D170D05249DFEF01CFE8C548BDDBBB4AF05308F288099E895AB691C775D98ACB61
                              Function 6CA16FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA17E20
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA18643
                                • Part of subcall function 6CA198E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA1862C,00000000,?,?,?,6CA1862C,?,6CA4555C), ref: 6CA19949
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: bdf5d2fe263ce97a79d2a0b3aa971f32c071492d02ba2a03fb1561d4cb8890dd
                              • Instruction ID: f4fe0f14208262afce477b0d7f50e816093f59713d13b5addc8aaf56c68876bf
                              • Opcode Fuzzy Hash: bdf5d2fe263ce97a79d2a0b3aa971f32c071492d02ba2a03fb1561d4cb8890dd
                              • Instruction Fuzzy Hash: 45B18E71E092099FDF05CF95C88269DBBF4FB49318F29852AD415E7E84E3789988CF90
                              Function 6CA76CE0 Relevance: 3.2, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ctype
                              • String ID:
                              • API String ID: 3039457973-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: 925f4692591e05f86f63a8bf814013063e628d35d6fbf8210cdc6af4175a6111
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: 7903BC34805248EEDF26CFA4CA44BDCBBB1BF15308F248099D449A7B91DB749ACDDB61
                              Function 6CA48972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 2c8ef9ada69674ec9d50e1e10c3e4ba94b6f7dd1a6473d761a2b873fc8d1786a
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: CC2191376A4D564BD74CCA68EC33EB92681E749305B88527EE94BCB3D1DF5C8800D648
                              Function 6CAA0A52 Relevance: 2.5, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: W
                              • API String ID: 0-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: 247a0867f167df0ef1404436f5e00c40e280163e012d5e4c81333b9dad923d3a
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 76B27C70A05259EFDB01CFE8C584BADBBB4AF09308F284099E946EB751C775DD86CB60
                              Function 6CABDAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: ff59ab3ea59efa75ad687c6bbebe8c66a295f5b2b9d201f53055d611f711f3c4
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: 1642E570A0D3818FD315CF28C49069ABBE6FFD9308F18496DE4D99B745C671D98ACB82
                              Function 6CAA1F11 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                              • Instruction ID: bab0d2cdb720e07164acea68f95c2c1ce09d56592441a54903270da2a201e0b4
                              • Opcode Fuzzy Hash: bf6cc7e3d5e08887c52fb4d73b2e2a9274b9cdfd61b6f8eb1b64b386a2eecc6f
                              • Instruction Fuzzy Hash: F6226B70A042099FDB18CFA9C584BADBBF0FF48308F148559E8599B741D774E99ACF90
                              Function 6CA50BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 8306a6d7a058822b2f162d99e3bfd945393e74ff3f3d40068f6643608dbc8433
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 8F51C972A053859BD710CF5AC4C06EEFBF6EF79214F18C05DE8C897242D27A599AC760
                              Function 6CAC9E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: a211ac24a1279c14b30bf9da364ac9dc027a0e44c11c42a82b57942b55e39578
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 5E028A356083508BD325CF29C5907AEBBE2BBC8348F188A2DE4D597B51C7759D89CB83
                              Function 6CA94896 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K
                              • API String ID: 0-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: 7bd582c41055c7c5e5107f6151af94d6499d10a814e91e66b01e319934e1ad9a
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: F0D1E131D202188FDB14CFA9C5927DEB7F6FF84318F18816AE425ABA84CB7098C5CB55
                              Function 6CA48EA1 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: x=J
                              • API String ID: 0-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: 51c373bf60de676ef7df83f4c66ab4f146ce230f5f895b8de6a69dd7ce2371ff
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 8891D031D01209DACF04DFB8DB909EDB7BABF45308F24C16AD452A7A51DB3259D9CB90
                              Function 6CA4C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 1cef12aaca1103eb8c62498a931d602e48464b865aed38604f76228eb5edb41c
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 44516473E208214AD78CCE24DC2177572D2E788310F8BC1B99D8BAB6E6DD78989587D4
                              Function 6CABAB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: 84a4328b13acb0398d7cd63bcfcdae43b35aa42840d74f88ce1319e440a77d2c
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: A5727BB16042168FD708CF28D490258FBE5FB89310B5A47ADD85AEB742DB31E8D5CBC1
                              Function 6CAC3D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36e59002686ab19309f918f3860b747ef88cc1110e88759f7e08e20c8a557b15
                              • Instruction ID: 22535f1f1396f82bf15ccbbfbaeeb79ecbc90ba89116f3663cfa0978d237e590
                              • Opcode Fuzzy Hash: 36e59002686ab19309f918f3860b747ef88cc1110e88759f7e08e20c8a557b15
                              • Instruction Fuzzy Hash: A31290713097418BC718CF29C5906AABBE2BFC8344F58892DE5D68BB41D731E889CB46
                              Function 6CAD4AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 61292c51305710e50ece60f6816517d4548d5b61126c492fb9626769630efa17
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: D402F732A083118BD319CF2DC480259BBF2FBC4355F1A4B2EF49697A94D774A9C4CB92
                              Function 6CABFA50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 88173590065ce6b4e66a2ec34b6fc5ef6fd78652aca5f9b844b6b62ad1de5be5
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: 64F1F13A6042888FEB24CE2CD8507EEB7E6FBC5304F58453DD889DBB41DB35958A8791
                              Function 6CAC6D10 Relevance: .4, Instructions: 429COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: f7293b29f16b61bf711a19b31ccc9977f4044bbb2e95353796afc48ecb02be11
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: 66E1D071704B058BD724CF29D4A03AAB7E2EBC4314F58493DC596C7B81DB75E58ACB82
                              Function 6CA97D43 Relevance: .3, Instructions: 346COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction ID: 5e638fd1a0d5a501ae2c896b0c3f0f761d278cc0b16469cfbc2d01228638e2cf
                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction Fuzzy Hash: F3F15970910249DFCB54CFA8C681BDDBBF1BF04308F14806ED41AABB52D770AA99CB61
                              Function 6CAC6900 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: 950e97189ad170e6ff563dcfcc92c652bdadf36697a2ba6ae252d2d41d92cff8
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: 9DC1A071704B068BE328CF2DC4906BAB7E2EBD4314F558A2DC1A6C7B55D670F499CB82
                              Function 6CACE0E0 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction ID: a0d3b801f124ff846b5b18172f2f4a6073e577fc33c9a9b4833062813eb196c3
                              • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction Fuzzy Hash: 93B19E717022218FC750CF2DC8812047BA2BBC522977987ADC4A49FA4AD336E897CBD1
                              Function 6CAC2580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67a02051e920f9db73184ee96149be134fcf8b95d9c0f58b1b5d05151753bd85
                              • Instruction ID: eb0fa62a8562630ea0769cee9ee5296e8db1e45691d71b140928d139c83239d3
                              • Opcode Fuzzy Hash: 67a02051e920f9db73184ee96149be134fcf8b95d9c0f58b1b5d05151753bd85
                              • Instruction Fuzzy Hash: DDC1C2353047418BC718CE3DD0E4696BBE2EFDA314F149A6DC4CA4BB55DA30A84DCB56
                              Function 6CACE4D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: dc74ecf0a696dd31b6c0ff75ccc9444b8b6c96ffbef33fefee332b92e1aa3891
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: A0B17F71B012448FC351CF29C885254BBA2FF8532CB79969EC4948F646E337D897CB92
                              Function 6CABE810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction ID: dce274d49e8c9df6855f437b2973a4cd7fe90d29b2de27819b5d01b04d381238
                              • Opcode Fuzzy Hash: 198e3b67c30e49fc889c46f171b82045d2b176faab8633eba47bfa451d0a0751
                              • Instruction Fuzzy Hash: 80B1CE31304B054BD324DB39C9907DAB7E9AF80308F08856DC5AAA7781EF31B58DC795
                              Function 6CAC1AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: 1265b735c25efcde169f48745af96ba5c74d48bad93a7c7a5b5ef365d7bc6776
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: 0BB18A757087028BC304DF29C8806ABF7E2FFD8304F18892DE59987711E771A59ACB96
                              Function 6CAC99F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: 041916c5fe2b2c019188cc302b9a81d3e81aefa27efafa906119d46f47bc70eb
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: FDA1D37270C3418FC315CE2EC69069ABBE1ABD531CF584A2DE4DA97741D631E98ACB43
                              Function 6CA60B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: ab129ab33bf9e800e96356f76a6639c2390dc3bb16ce0409ee2927ad79dd6e88
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: B1519E72F006099FDB08CF99DD916EDBBF2EB88308F248169D515E7B81D7749A81CB44
                              Function 6CA62EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: 4c851b0a9a0c3f1e524f6975b1fd91818689f14f17dfafe8f85efe80a7bbd6c0
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: CC3114277A440113D70CCD3BCC2679F91635BD462A70ECF396C45DEF55D92CC8524144
                              Function 6CA2A2D6 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17c35fe48b84d63931dc93d1663f6244d6f9b87ff49c8556dbf65924b14c0353
                              • Instruction ID: bb9486a8803ea3e1d260a432c94584ea0594dc9e6a12b76345d9fc9d1388ebf0
                              • Opcode Fuzzy Hash: 17c35fe48b84d63931dc93d1663f6244d6f9b87ff49c8556dbf65924b14c0353
                              • Instruction Fuzzy Hash: D9F03932A15234EBCB12CB88C906B8973BDEB45B65F190096E901EBA40C7B4DE88C7C0
                              Function 6CA2A2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: ea4968f539b616632287fabeed2397b8e33866f56c3656641d61f48f5dafa710
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: 9BE08632911278EBC714CB88C500D89B3EDE744A04B150196F901D3510C274DE44D7C0
                              Function 6CA2C421 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6CA2B640,?), ref: 6CA2C469
                              • __fassign.LIBCMT ref: 6CA2C648
                              • __fassign.LIBCMT ref: 6CA2C665
                              • WriteFile.KERNEL32(?,6CA36026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA2C6AD
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA2C6ED
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA2C799
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID: _c$
                              • API String ID: 4031098158-1047311438
                              • Opcode ID: 9c7eda87cc17d951b95722e3e104aeaa56addb5775b0cb308fb03eb4ccc1b7a9
                              • Instruction ID: 2b8663ca58b973dad18470896950529efbb414730f72734c5a6408b4215858f3
                              • Opcode Fuzzy Hash: 9c7eda87cc17d951b95722e3e104aeaa56addb5775b0cb308fb03eb4ccc1b7a9
                              • Instruction Fuzzy Hash: 87D1FE71E002689FDF04CFA8C9809EDBBB5BF09318F284169E855BB701D335E98ACB50
                              Function 6CA1A040 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6CA1A077
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA1A07F
                              • _ValidateLocalCookies.LIBCMT ref: 6CA1A108
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA1A133
                              • _ValidateLocalCookies.LIBCMT ref: 6CA1A188
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm$_c$
                              • API String ID: 1170836740-3695372941
                              • Opcode ID: b3a61d6e821fb94cabcba6c851c65583407acb64ede0650c8e67c1ae54a6aeb4
                              • Instruction ID: 84684f41d477375823e7ce6ed0717450bce8422df1050a00fda756a0a858baed
                              • Opcode Fuzzy Hash: b3a61d6e821fb94cabcba6c851c65583407acb64ede0650c8e67c1ae54a6aeb4
                              • Instruction Fuzzy Hash: 8341C335A042289FCF00DF68C894A9E7BB6AF45328F288155E8199BF51D735DE8DCB90
                              Function 6CA7EB50 Relevance: 11.6, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 0-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 9458676391a31013fe2f3de5304963e1a79febdcdfa6134a531e3d730df0f444
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 5FD1CA79A04209DFCF25CFA4DA90BEDB7B5FF45308F248519E055A3A50DB709989CBB0
                              Function 6CA2740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: 39ce1a0af73f26570696bdd8f9010c591cb1e2fca8895a7f9c150d069cfdd6c0
                              • Instruction ID: c9077b0bb833a800db8bf7c575c888a34a8b94f9880b8a68b835610761bcb47d
                              • Opcode Fuzzy Hash: 39ce1a0af73f26570696bdd8f9010c591cb1e2fca8895a7f9c150d069cfdd6c0
                              • Instruction Fuzzy Hash: 11210B31E06B31ABDB118A2DCC40A0A3B689F02768F1D4150ED15E7680D738DE81C6F0
                              Function 6CA66798 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: >WJ$x$x
                              • API String ID: 3732870572-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 01749224191331d4cddaa69f87e2a796225a54eaa75a28a6ef93188707e78296
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 44126671900209EFDF10CFA6C980AEDBBB5FF48318F248169E915EBB50DB319989CB50
                              Function 6C8E2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E2FD0
                              • __Getctype.LIBCPMT ref: 6C8E3084
                              • std::_Facet_Register.LIBCPMT ref: 6C8E309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E30B7
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 1d5e5c3bdf641de17f7a36db4af7215eec328275097e04853619fa2e0e158b49
                              • Instruction ID: a4942c71881cf2b83807d9a61fec6eb8bf42f0bc103046a4616efeb0d8bf14ea
                              • Opcode Fuzzy Hash: 1d5e5c3bdf641de17f7a36db4af7215eec328275097e04853619fa2e0e158b49
                              • Instruction Fuzzy Hash: 414189B1E006548FCB20CF98DA51B9EBBB0FF4A728F044528D859ABB50D774AD48CF90
                              Function 6CA54FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 619ca59fad3228e4dddec286b72a070f6dc76fb8e73f9df249882619731506cc
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 8121EE30900219FFDF208E94AD40DCF7A69EF457A8F60C226F521A1690D2718EE4D7E1
                              Function 6CA35F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6CA3604D
                              • _free.LIBCMT ref: 6CA36076
                              • SetEndOfFile.KERNEL32(00000000,6CA34C5C,00000000,6CA2B640,?,?,?,?,?,?,?,6CA34C5C,6CA2B640,00000000), ref: 6CA360A8
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA34C5C,6CA2B640,00000000,?,?,?,?,00000000,?), ref: 6CA360C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: e84c129f80c9e717a51a8e262deb361d5dc60d8b0b1a89b7b60ce1887e56bcf9
                              • Instruction ID: 8544186292d7637fe8411ebaa0069ecbfbf5297eb20706ceac3481821c81f051
                              • Opcode Fuzzy Hash: e84c129f80c9e717a51a8e262deb361d5dc60d8b0b1a89b7b60ce1887e56bcf9
                              • Instruction Fuzzy Hash: F541E7B25046259ADB019FB9CD12BCE36B5BF47328F289114E918E7B90D779C4CD8720
                              Function 6CA1F69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA1F724,00000000,?,6CA1F7A5,6CA1A1B9,00000003,00000000), ref: 6CA1F6AF
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA1F6C2
                              • FreeLibrary.KERNEL32(00000000,?,?,6CA1F724,00000000,?,6CA1F7A5,6CA1A1B9,00000003,00000000), ref: 6CA1F6E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 9f04e1238109df3f7fd7090ecc3b1f206f2d371f5e57a03f1365fba86a1f88f2
                              • Instruction ID: 92194da2b1762ca1c679a96110a15a6174c27d7faf72f799389c719d81d77e83
                              • Opcode Fuzzy Hash: 9f04e1238109df3f7fd7090ecc3b1f206f2d371f5e57a03f1365fba86a1f88f2
                              • Instruction Fuzzy Hash: C0F01231605659FBDF01AF91CD09BDE7B78EB01759F148064B415E2960CB318A41DAA4
                              Function 6CA93CB2 Relevance: 7.8, Strings: 6, Instructions: 347COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: $ $$ K$, K$.$o
                              • API String ID: 0-1786814033
                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction ID: 24c55caf2eb6ef2628784f586b397abd0d0517eabf5afbe95661121c9b2ed25a
                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction Fuzzy Hash: EAD10631D2525D8BCF01CFA9D4917EEBBF2BF05308F288269C4A9ABA41C7755D88CB51
                              Function 6CA17897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6CA1789E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6CA178A9
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA17917
                                • Part of subcall function 6CA177A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA177B8
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6CA178C4
                              • _Yarn.LIBCPMT ref: 6CA178DA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: eeaef97f2ca24349e172c7bbee7649cec57c3ff23a5d65bef63ea0c86f8d3561
                              • Instruction ID: bccebed676baaface1f46177044e723f49eef089219a949673ba426ab3ac6cd5
                              • Opcode Fuzzy Hash: eeaef97f2ca24349e172c7bbee7649cec57c3ff23a5d65bef63ea0c86f8d3561
                              • Instruction Fuzzy Hash: 1501DF79A082118FDB06DF60C654ABC7BB5FF96258B191048D81697F80DF34AE8ACFD1
                              Function 6C8E2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6CA17897: __EH_prolog3.LIBCMT ref: 6CA1789E
                                • Part of subcall function 6CA17897: std::_Lockit::_Lockit.LIBCPMT ref: 6CA178A9
                                • Part of subcall function 6CA17897: std::locale::_Setgloballocale.LIBCPMT ref: 6CA178C4
                                • Part of subcall function 6CA17897: _Yarn.LIBCPMT ref: 6CA178DA
                                • Part of subcall function 6CA17897: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA17917
                                • Part of subcall function 6C8E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2F95
                                • Part of subcall function 6C8E2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8E2FAF
                                • Part of subcall function 6C8E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E2FD0
                                • Part of subcall function 6C8E2F60: __Getctype.LIBCPMT ref: 6C8E3084
                                • Part of subcall function 6C8E2F60: std::_Facet_Register.LIBCPMT ref: 6C8E309C
                                • Part of subcall function 6C8E2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8E30B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C8E211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: 13e3368462a41abdf1c1e95e53ba9665bdd35602f89c432f7fc60b770af2a80a
                              • Instruction ID: ee81f7bf83141be39df0c8103720bc5cd22b7b1d032c84dc3e4dd7e68ba4a013
                              • Opcode Fuzzy Hash: 13e3368462a41abdf1c1e95e53ba9665bdd35602f89c432f7fc60b770af2a80a
                              • Instruction Fuzzy Hash: 3B41D4B1A0030A8FDB10CF64C9457AABBB1FF49314F108668E519AB791E775E985CB90
                              Function 6CA2B300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA2B640,6C8E1DEA,00008000,6CA2B640,?,?,?,6CA2B1EF,6CA2B640,?,00000000,6C8E1DEA), ref: 6CA2B339
                              • GetLastError.KERNEL32(?,?,?,6CA2B1EF,6CA2B640,?,00000000,6C8E1DEA,?,6CA34C0E,6CA2B640,000000FF,000000FF,00000002,00008000,6CA2B640), ref: 6CA2B343
                              • __dosmaperr.LIBCMT ref: 6CA2B34A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 56f858dbbf87daed01667253bd0404b6509ab3717d876e3dc4c4729c4abe2b26
                              • Instruction ID: a277e6cce2f4fdab0affdf40230cef6e2f5d7b867f4b93cc7cc91acf4ff2665a
                              • Opcode Fuzzy Hash: 56f858dbbf87daed01667253bd0404b6509ab3717d876e3dc4c4729c4abe2b26
                              • Instruction Fuzzy Hash: 0301FC33714525ABCF059F69EC058AE3B39EB86334B6D4308F822D7A80EB71DD858750
                              Function 6CA6BD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 6607c906aa28fbb4be0f78323f21a7c556c9233cbab95c128e661bda069539cc
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 1541B771C05289EFCF14DBA2E6908EEB771AF1130CB64C269E12167D51EB35AACDDB01
                              Function 6CA66331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: dae4fdf61a7ab6363c2aefbba13bf42e13d7f548525b87bb7b83649b877aa173
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: B5119076600204BFEB214AA5DD44EAF7BBDEBC9744F10852DF24196B90D671AC88D760
                              Function 6CA24F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000008,?,00000000,6CA289C3), ref: 6CA24F27
                              • _free.LIBCMT ref: 6CA24F84
                              • _free.LIBCMT ref: 6CA24FBA
                              • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CA24FC5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: 215f7e624e594fec376682bfdbbae0df663c3262eae03db46f273cdcd7709541
                              • Instruction ID: 3e603d1b0e3809403fba3980da9610f8f9b31cb877df5784d65914cf7ca445ec
                              • Opcode Fuzzy Hash: 215f7e624e594fec376682bfdbbae0df663c3262eae03db46f273cdcd7709541
                              • Instruction Fuzzy Hash: D011CA3230C7317A9B125A758D80D5B2169DBC6B7DB3D0628F62487FC0EF69CC9D4110
                              Function 6CA3642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6CA34C5C,00000000,00000000,?,6CA350C1,00000000,00000001,00000000,6CA2B640,?,6CA2C7F6,?,?,6CA2B640), ref: 6CA36441
                              • GetLastError.KERNEL32(?,6CA350C1,00000000,00000001,00000000,6CA2B640,?,6CA2C7F6,?,?,6CA2B640,?,6CA2B640,?,6CA2C28C,6CA36026), ref: 6CA3644D
                                • Part of subcall function 6CA3649E: CloseHandle.KERNEL32(FFFFFFFE,6CA3645D,?,6CA350C1,00000000,00000001,00000000,6CA2B640,?,6CA2C7F6,?,?,6CA2B640,?,6CA2B640), ref: 6CA364AE
                              • ___initconout.LIBCMT ref: 6CA3645D
                                • Part of subcall function 6CA3647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA3641B,6CA350AE,6CA2B640,?,6CA2C7F6,?,?,6CA2B640,?), ref: 6CA36492
                              • WriteConsoleW.KERNEL32(00000000,?,6CA34C5C,00000000,?,6CA350C1,00000000,00000001,00000000,6CA2B640,?,6CA2C7F6,?,?,6CA2B640,?), ref: 6CA36472
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: a954ca947e29800f28a136c9e19ba4fd31de295a1bdf800a8da9a59d32e5d01b
                              • Instruction ID: ea6694cd2f4a0f12922aa6de4f1881c22f404dff61c24eab333d2c434a045d43
                              • Opcode Fuzzy Hash: a954ca947e29800f28a136c9e19ba4fd31de295a1bdf800a8da9a59d32e5d01b
                              • Instruction Fuzzy Hash: EEF01236540329BBCF221F91DD149C93F36FB46765B048010FA5CC6610D67388609B90
                              Function 6CA62B91 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: $SJ
                              • API String ID: 3732870572-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 439e75a724a7feb20e870686911b50981d7f2b84d1214e11d8c4b7150aa31065
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 33B15FB1D00209DFCB14CF6AC9849EEBBB1FF48358F24862ED555A7B50D730AA85CB90
                              Function 6CA23694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 084005bf24b06262572a4a96f67c3c5ce722079bb160fc9602abf610b934b8cb
                              • Instruction ID: f3d358e14efc2e4b963b010de2ec5fdb8f3d7434fa1d778b271a2c1330c3330f
                              • Opcode Fuzzy Hash: 084005bf24b06262572a4a96f67c3c5ce722079bb160fc9602abf610b934b8cb
                              • Instruction Fuzzy Hash: 5D71C571D022269BDF108F95C954BEEB67DEF07318F2C4269E890ABA40D779C8C6C760
                              Function 6C8E28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C8E2A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 0da6940cf6bfebedf386f4bec8e31c5e41c3f7dfd96c33ac43d58cdfbd72114e
                              • Instruction ID: 9ce41aaad78c0e1f4e4d8513fca30db45378f28ee68d86054b496337e98698c3
                              • Opcode Fuzzy Hash: 0da6940cf6bfebedf386f4bec8e31c5e41c3f7dfd96c33ac43d58cdfbd72114e
                              • Instruction Fuzzy Hash: 985137B19002058FCB20CF68DA84A9EBBB5FF8A304F14897DD849DB741D335E989CB91
                              Function 6CA2AC62 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129fileCOMMON
                              Download Yara Rule
                              APIs
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6CA2ACA9
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000,6CA2B09D,00000000,00000000,00000000,?,?,6CA17A27,00000000), ref: 6CA2AD29
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                              • String ID: _c$
                              • API String ID: 1834446548-1047311438
                              • Opcode ID: fe22e2bbfde78d86eb6311a8dd2de6acfd4bd1ba63121cee86b70ad67cd9f7a5
                              • Instruction ID: 26758c3b03448481af2ed89727f89239b82e9f675867c890ffcb04e89c2ea934
                              • Opcode Fuzzy Hash: fe22e2bbfde78d86eb6311a8dd2de6acfd4bd1ba63121cee86b70ad67cd9f7a5
                              • Instruction Fuzzy Hash: 3F410531A00168ABDB15CF68CD80BE9B7B7EB48309F5C82E9E54997640E778DDC98B40
                              Function 6CA2D46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA34C46), ref: 6CA2D58B
                              • __dosmaperr.LIBCMT ref: 6CA2D592
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: e45875c68323bbddbca2c7cc574a46b5649a511b0e550e14cb817e3de1691bbe
                              • Instruction ID: 90c88062d7db2bf8b0ae8a8f2777994a847f1ee1b3080267231558c9e25776e7
                              • Opcode Fuzzy Hash: e45875c68323bbddbca2c7cc574a46b5649a511b0e550e14cb817e3de1691bbe
                              • Instruction Fuzzy Hash: D8416971A041A4AFDB118F59C880AA97FE5EF4635CF2C4259E88187A43D3B99C95C790
                              Function 6CA1FC73 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free
                              • String ID: _c$
                              • API String ID: 269201875-1047311438
                              • Opcode ID: 0f841118ce3bd074e47a427e751597c6b895a25828fe6a5fb905ba803447f6ed
                              • Instruction ID: 7e5c91e671f8a6cc3c4e2194d9ddc62128096f0a500bea381eaf2894c45262cb
                              • Opcode Fuzzy Hash: 0f841118ce3bd074e47a427e751597c6b895a25828fe6a5fb905ba803447f6ed
                              • Instruction Fuzzy Hash: 6741E432A002149FCB00DF78C980A99B7F6EF8974CB29456CE515EBB41EB31ED49CB80
                              Function 6CA2C9F7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,6CA2C2F3,6CA36026,6CA2B640,?,6CA34C5C,?,00000000,00000000,6CA36026,00000000,00000000), ref: 6CA2CAE0
                              • GetLastError.KERNEL32(6CA2C2F3,6CA36026,6CA2B640,?,6CA34C5C,?,00000000,00000000,6CA36026,00000000,00000000,?,00000000,6CA2B640,6CA34C5C,00000000), ref: 6CA2CB10
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: _c$
                              • API String ID: 442123175-1047311438
                              • Opcode ID: f794fe24fe10661014766996e0a38043ce73f874fdda7d7f43ffa2e9dd5a3997
                              • Instruction ID: a210a86bf97a2ead862242c2a67840bb4301ed4b91fbf9269462c73279126de3
                              • Opcode Fuzzy Hash: f794fe24fe10661014766996e0a38043ce73f874fdda7d7f43ffa2e9dd5a3997
                              • Instruction Fuzzy Hash: 3231A5717002299FEB14DF19DC81AE973B5AF44349F1840A9E505E7650DB74EDC48B61
                              Function 6CA87CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 0e8fd83194a89c17b50a3d9c5246679e2570a6f3c77d26a0b2347aebb7295e43
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 2F2174B0A017046FD7308FA99880A6BBAFDEB48754F14891EF186D7A41D770A9888B65
                              Function 6CA2C90E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,6CA2B640,?,?,6CA2C2E3,6CA36026,6CA2B640,?,6CA34C5C,?,00000000), ref: 6CA2C9B8
                              • GetLastError.KERNEL32(?,6CA2C2E3,6CA36026,6CA2B640,?,6CA34C5C,?,00000000,00000000,6CA36026,00000000,00000000,?,00000000,6CA2B640,6CA34C5C), ref: 6CA2C9DE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: _c$
                              • API String ID: 442123175-1047311438
                              • Opcode ID: d1b4b7cb7e2249deec4e4623cd184384515e881a5339c6f00a95e59f3e54c2ec
                              • Instruction ID: abd8017cb8603f1915c2977f0db823abafb895f8f2e5f43ae713dda945c3b4e1
                              • Opcode Fuzzy Hash: d1b4b7cb7e2249deec4e4623cd184384515e881a5339c6f00a95e59f3e54c2ec
                              • Instruction Fuzzy Hash: 0A21A231B002289FDB24DF59C8819DDB3B9FF49318F1885AAE90AE7650D730DE85CA50
                              Function 6CA2C833 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,6CA2B640,?,?,6CA2C303,6CA36026,6CA2B640,?,6CA34C5C,?,00000000), ref: 6CA2C8CF
                              • GetLastError.KERNEL32(?,6CA2C303,6CA36026,6CA2B640,?,6CA34C5C,?,00000000,00000000,6CA36026,00000000,00000000,?,00000000,6CA2B640,6CA34C5C), ref: 6CA2C8F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorFileLastWrite
                              • String ID: _c$
                              • API String ID: 442123175-1047311438
                              • Opcode ID: f2bc250ae2398ba33d1d0dfdcbc12b6f138c05845730fa2bf021e836e8ec3f05
                              • Instruction ID: 6d8186bcccdedb638a9d5c79cb9c489aa038ad0b4ea8932f71793d834963655d
                              • Opcode Fuzzy Hash: f2bc250ae2398ba33d1d0dfdcbc12b6f138c05845730fa2bf021e836e8ec3f05
                              • Instruction Fuzzy Hash: 0D21B430B002299BDB19DF1DC9849D9B7B5EB49309F1881AAE905D7611D730DD86CB61
                              Function 6CA18B17 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6CA1913D
                              • ___raise_securityfailure.LIBCMT ref: 6CA19225
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FeaturePresentProcessor___raise_securityfailure
                              • String ID: _c$
                              • API String ID: 3761405300-1047311438
                              • Opcode ID: a830b21f4ddc6f750c68c59d8d8b054c5be64980e3127188cda300a0e17e4720
                              • Instruction ID: ab3b0f88d18f7e6b566dfa6f71e437e07739a29289862c7d771b24fd2bb5dc9d
                              • Opcode Fuzzy Hash: a830b21f4ddc6f750c68c59d8d8b054c5be64980e3127188cda300a0e17e4720
                              • Instruction Fuzzy Hash: 2821EDB96142019ADB04DFA9E697B467BB4BB4A31CF11902AF518DBF90E3B05A80CF44
                              Function 6CA2E298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6CA2E2B9
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA2ABAA,?,00000004,?,4B42FCB6,?,?,6CA1FCFC,4B42FCB6,?), ref: 6CA2E2F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2209461812.000000006C891000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C890000, based on PE: true
                              • Associated: 00000006.00000002.2209433819.000000006C890000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210688817.000000006CA38000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2212078491.000000006CC03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: 70fa8af3b9de75be38a606f8271222e82a8d3f3ad5526be2b76332c0df9e3ceb
                              • Instruction ID: 929e97f59b741452ab749370a6af9b3d7739c2bc969416da8e67f44f3e75527b
                              • Opcode Fuzzy Hash: 70fa8af3b9de75be38a606f8271222e82a8d3f3ad5526be2b76332c0df9e3ceb
                              • Instruction Fuzzy Hash: 1AF0C232605235A69F211E36AC00B8B37689F82B7AB1D4129E915A6E80DB28D4C583E0
                              Function 6CAA4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 1e3aa2e161b223aa535de20f51075f2b9b7389a6ecd0ae9112f622d5359816c8
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: D951AE309042099FCF01CFA4DB40ADEB7B5AF0931CF24942AF81267A91DB7599DECB55
                              Function 6CAA384E Relevance: 5.1, Strings: 4, Instructions: 67COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ((K$<(K$L(K$\(K
                              • API String ID: 0-3238140439
                              • Opcode ID: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                              • Instruction ID: 15f26bb7ac4e38605539e8aab4fe5e31c01b62ae468cd7e74c8fdd59cc1a0990
                              • Opcode Fuzzy Hash: cede27c3a22cca09b7bd7d03a45c990e4592a35e63268caaaf0da1c0b765a472
                              • Instruction Fuzzy Hash: 0F213CB0901B40DEC724DFAAC65469BFBF4AF54308F108A5FC09697B50DBB4A64C8B69
                              Function 6CA6E418 Relevance: 5.1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 0-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: e53f08455c07bb5d4bed3d05be37d1358d6bd60f9b53440688f2431da54855f4
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 52218B71D01248EECB04DBE5DA849EDBBB5AF25318F60816DE41667B81DB780E8CCB51
                              Function 6CA6E234 Relevance: 5.0, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: J$0J$DJ$`J
                              • API String ID: 0-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 346b8db269e5f4c08e5a7b840470ceb36604d409f0f19bc89884035584948344
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 3A1103B0900B64CEC720CF5AC65019AFBE4FFA5708B00CA1FC0A687B10C7F8A548CB89
                              Function 6CAADAAC Relevance: 5.0, Strings: 4, Instructions: 23COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2210760308.000000006CA48000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA48000, based on PE: true
                              • Associated: 00000006.00000002.2211367263.000000006CB13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2211398483.000000006CB19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c890000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 00K$@0K$P0K$`0K
                              • API String ID: 0-1070766156
                              • Opcode ID: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                              • Instruction ID: cc08c49e7cab151d94aeeb036fe5aa8110f11b29cf5188a6292b857041db77c5
                              • Opcode Fuzzy Hash: 7efb1c77604c1d1a2dcd35be8e9d5171401199da8c632a149feb581716eb9edd
                              • Instruction Fuzzy Hash: 2DF03FB14152408FD348DF1A9598A82BFE0AF95319B56C1DED0184F276C3B9CA48CFA8