Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.4.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.4.exe
renamed because original name is a hash value
Original sample name:2.0.4.exe
Analysis ID:1580394
MD5:824d18101868c00261fd732e2e713fa6
SHA1:04df8109561e9a1aed04fa7ed7d4b3c931bde5c7
SHA256:2e5c530decd37133e50f6b149f634973e54cf555abcb309e829a3e8dcd223724
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.4.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" MD5: 824D18101868C00261FD732E2E713FA6)
    • #U5b89#U88c5#U52a9#U624b2.0.4.tmp (PID: 7792 cmdline: "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" MD5: 5F1FEB7EA510D8FB9A35D5802519EBDB)
      • powershell.exe (PID: 7816 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 8020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.4.exe (PID: 8132 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT MD5: 824D18101868C00261FD732E2E713FA6)
        • #U5b89#U88c5#U52a9#U624b2.0.4.tmp (PID: 8152 cmdline: "C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$50484,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT MD5: 5F1FEB7EA510D8FB9A35D5802519EBDB)
          • 7zr.exe (PID: 7232 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7372 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7680 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 5948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2944 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7208 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2212 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6748 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7548 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7688 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3836 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4496 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6964 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2344 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5512 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4940 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8068 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, ParentProcessId: 7792, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7816, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7208, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, ParentProcessId: 7792, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7816, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2944, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7208, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, ParentProcessId: 7792, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7816, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vacReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.1% probability
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1560447972.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1560319738.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3CB430 FindFirstFileA,FindClose,7_2_6C3CB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_000E6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_000E7496
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000003.1524253595.0000000004280000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.2.dr, update.vac.7.dr, 7zr.exe.7.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432837302.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432356130.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1434631947.0000000000DD1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000000.1527266748.000000000029D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432837302.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432356130.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1434631947.0000000000DD1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000000.1527266748.000000000029D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.2.drStatic PE information: section name: .#.q
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D5690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,7_2_6C3D5690
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C253886
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C253C62
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C253D18
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C253D62
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C2539CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C2539CF
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,7_2_6C253A6A
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C3D62D0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C251950: CreateFileA,DeviceIoControl,CloseHandle,7_2_6C251950
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C254754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,7_2_6C254754
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C2547547_2_6C254754
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C264A277_2_6C264A27
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D1DF07_2_6C3D1DF0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D6FB37_2_6C3D6FB3
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C436CE07_2_6C436CE0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C486D107_2_6C486D10
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A4DE07_2_6C4A4DE0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C422EC97_2_6C422EC9
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C45AEEF7_2_6C45AEEF
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C48EEF07_2_6C48EEF0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C408EA17_2_6C408EA1
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A48707_2_6C4A4870
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C47E8107_2_6C47E810
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4968207_2_6C496820
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C49C8D07_2_6C49C8D0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4548967_2_6C454896
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4989507_2_6C498950
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4089727_2_6C408972
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4869007_2_6C486900
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4AA91A7_2_6C4AA91A
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C49A9307_2_6C49A930
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A69997_2_6C4A6999
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C460A527_2_6C460A52
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4AAA007_2_6C4AAA00
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C494AA07_2_6C494AA0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C420B667_2_6C420B66
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C49EBC07_2_6C49EBC0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C410BCA7_2_6C410BCA
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C47AB907_2_6C47AB90
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C48E4D07_2_6C48E4D0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4944897_2_6C494489
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4684AC7_2_6C4684AC
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4725217_2_6C472521
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4985207_2_6C498520
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4845D07_2_6C4845D0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4825807_2_6C482580
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C48C5807_2_6C48C580
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C49E6007_2_6C49E600
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A46C07_2_6C4A46C0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A67C07_2_6C4A67C0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C40C7CF7_2_6C40C7CF
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C46C7F37_2_6C46C7F3
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4967A07_2_6C4967A0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4800207_2_6C480020
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C48E0E07_2_6C48E0E0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4982007_2_6C498200
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C49C2A07_2_6C49C2A0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C496AF07_2_6C496AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001281EC11_2_001281EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001681C011_2_001681C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015425011_2_00154250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017824011_2_00178240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017C3C011_2_0017C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001704C811_2_001704C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015865011_2_00158650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015C95011_2_0015C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0013094311_2_00130943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00158C2011_2_00158C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00170E0011_2_00170E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00174EA011_2_00174EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016D08911_2_0016D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001410AC11_2_001410AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017112011_2_00171120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016518011_2_00165180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015D1D011_2_0015D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001791C011_2_001791C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017D2C011_2_0017D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E53CF11_2_000E53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001453F311_2_001453F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017D47011_2_0017D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0012D49611_2_0012D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001754D011_2_001754D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017155011_2_00171550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E157211_2_000E1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0013965211_2_00139652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016D6A011_2_0016D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000F976611_2_000F9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E97CA11_2_000E97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017D9E011_2_0017D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E1AA111_2_000E1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00165E8011_2_00165E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00165F8011_2_00165F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000FE00A11_2_000FE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001622E011_2_001622E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0018230011_2_00182300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0014E49F11_2_0014E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001625F011_2_001625F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015A6A011_2_0015A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001566D011_2_001566D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017E99011_2_0017E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00162A8011_2_00162A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0013AB1111_2_0013AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00166CE011_2_00166CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001670D011_2_001670D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0014B12111_2_0014B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015B18011_2_0015B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017720011_2_00177200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016F3A011_2_0016F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017F3C011_2_0017F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0010B3E411_2_0010B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015741011_2_00157410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0016F42011_2_0016F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0018351A11_2_0018351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015F50011_2_0015F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017353011_2_00173530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017F59911_2_0017F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0018360111_2_00183601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015379011_2_00153790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001777C011_2_001777C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0010F8E011_2_0010F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015F91011_2_0015F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000FBAC911_2_000FBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00167AF011_2_00167AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00133AEF11_2_00133AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00167C5011_2_00167C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000FBC9211_2_000FBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0015FDF011_2_0015FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000E1E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0017FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000E28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: String function: 6C4A6F10 appears 387 times
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.6.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000000.1429811232.0000000000299000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432837302.000000007FC7A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432356130.00000000032FE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeBinary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.13.drBinary string: \Device\TfSysMon
Source: tProtect.dll.13.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@144/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,7_2_6C3D62D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_000E9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000F3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_000F3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,11_2_000E9252
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D57B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,7_2_6C3D57B0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-82I6P.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1568:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4452:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-HATNU.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$50484,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$50484,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic file information: File size 6130073 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.1560447972.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.1560319738.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001657D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_001657D0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: real checksum: 0x0 should be: 0x5dc5ed
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343936
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x343936
Source: update.vac.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.2.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: hrsw.vbc.7.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.13.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.2.drStatic PE information: section name: .00cfg
Source: update.vac.2.drStatic PE information: section name: .voltbl
Source: update.vac.2.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.6.drStatic PE information: section name: .didata
Source: 7zr.exe.7.drStatic PE information: section name: .sxdata
Source: update.vac.7.drStatic PE information: section name: .00cfg
Source: update.vac.7.drStatic PE information: section name: .voltbl
Source: update.vac.7.drStatic PE information: section name: .#.q
Source: hrsw.vbc.7.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.7.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D8C5B push ecx; ret 7_2_6C3D8C6E
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C280F00 push ss; retn 0001h7_2_6C280F0A
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C4A6F10 push eax; ret 7_2_6C4A6F2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E45F4 push 0018C35Ch; ret 11_2_000E460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017FB10 push eax; ret 11_2_0017FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_0017FE90 push eax; ret 11_2_0017FEBE
Source: update.vac.2.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.7.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6288Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3515Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpWindow / User API: threadDelayed 588Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpWindow / User API: threadDelayed 565Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpWindow / User API: threadDelayed 539Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3CB430 FindFirstFileA,FindClose,7_2_6C3CB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,11_2_000E6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,11_2_000E7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000E9C60 GetSystemInfo,11_2_000E9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000002.1543664201.000000000164D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000002.1543664201.000000000164D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C253886 NtSetInformationThread 00000000,00000011,00000000,000000007_2_6C253886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3E06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C3E06F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_001657D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,11_2_001657D0
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3DF6ED mov eax, dword ptr fs:[00000030h]7_2_6C3DF6ED
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3EA2A5 mov eax, dword ptr fs:[00000030h]7_2_6C3EA2A5
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3EA2D6 mov eax, dword ptr fs:[00000030h]7_2_6C3EA2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3E06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_6C3E06F1
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpCode function: 7_2_6C3D922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6C3D922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.13.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00180300 cpuid 11_2_00180300
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_000EAB2A GetSystemTimeAsFileTime,11_2_000EAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 11_2_00180090 GetVersion,11_2_00180090
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000002.1683936847.0000000000B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580394 Sample: #U5b89#U88c5#U52a9#U624b2.0.4.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 101 Multi AV Scanner detection for dropped file 2->101 103 Found driver which could be used to inject code into processes 2->103 105 PE file contains section with special chars 2->105 107 2 other signatures 2->107 11 #U5b89#U88c5#U52a9#U624b2.0.4.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 29 other processes 2->18 process3 file4 99 C:\...\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, PE32 11->99 dropped 20 #U5b89#U88c5#U52a9#U624b2.0.4.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 25 other processes 18->34 process5 file6 85 C:\Users\user\AppData\Local\...\update.vac, PE32 20->85 dropped 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->87 dropped 109 Adds a directory exclusion to Windows Defender 20->109 36 #U5b89#U88c5#U52a9#U624b2.0.4.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 24 other processes 34->54 signatures7 process8 file9 89 C:\...\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, PE32 36->89 dropped 56 #U5b89#U88c5#U52a9#U624b2.0.4.tmp 4 16 36->56         started        111 Loading BitLocker PowerShell Module 39->111 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 91 C:\Users\user\AppData\Local\...\update.vac, PE32 56->91 dropped 93 C:\Program Files (x86)\...\is-LCL3P.tmp, DOS 56->93 dropped 95 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->95 dropped 97 2 other files (none is malicious) 56->97 dropped 113 Query firmware table information (likely to detect VMs) 56->113 115 Protects its processes via BreakOnTermination flag 56->115 117 Hides threads from debuggers 56->117 119 Contains functionality to hide a thread from the debugger 56->119 64 7zr.exe 7 56->64         started        67 7zr.exe 2 56->67         started        69 cmd.exe 56->69         started        signatures13 process14 file15 81 C:\Program Files (x86)\Windows NT\trash, DOS 64->81 dropped 71 conhost.exe 64->71         started        83 C:\Program Files (x86)\...\tProtect.dll, PE32+ 67->83 dropped 73 conhost.exe 67->73         started        75 sc.exe 69->75         started        77 Conhost.exe 69->77         started        process16 process17 79 conhost.exe 75->79         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.4.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.4.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432837302.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432356130.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1434631947.0000000000DD1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000000.1527266748.000000000029D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432837302.000000007F97B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1432356130.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1434631947.0000000000DD1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000007.00000000.1527266748.000000000029D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580394
        Start date and time:2024-12-24 13:12:11 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 10m 56s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:108
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.4.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.4.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@144/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 76%
        • Number of executed functions: 28
        • Number of non-executed functions: 80
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.12.23.50
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.4.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.bin (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1372592
                          Entropy (8bit):7.999861765609051
                          Encrypted:true
                          SSDEEP:24576:2kMb3vsiC+gx2uaeFPJSyOODttN98lqcaSe6IblRJRyfDcKNbSbm:2BLSjjTdOO/N981He66RJRADqm
                          MD5:13E2444DA7092C99CD5B7D74CAF035A3
                          SHA1:127F47FDBA8D8CCD5515AEF760DFFBBF4B8AE75F
                          SHA-256:9CFB0AE92EF977DA9735DB02DC5BC51053B329C0FC7E1592655C4494D20C097B
                          SHA-512:A6C9F4C85CBA1DF6C41AC03AA2F9076095B4A710FD344AE4C29A183B17947AC69A13293B6371B09EC937150DC0A5663B38A36E97F4621A172638EAFA001140F6
                          Malicious:false
                          Preview:.@S.....@...................=.z'........#.1=..GD.]KU......8~zzt>..,.D.{"..s...).L..FG}o...!x-..-.<b:..;..>.m(.fKj.I.'%.SKy$q...T.u....ohCy.h.?c....P"G.~..~v...9....@.<aK...~9cD7..O...M..u%F..nN^...vq}/..A.B....$fV..lpjX.=d....i..=..u...p..a.N.Fv.wk..Y..^........$...l.a...+.V.-.y..Jm......*..V..AI.j..8.#......i..n...EpZ...(.)...v..>.El.(F..?...._.. ......^J.....F(.....U.`."'-.."?.$.`0.L:..*.!.....B.RE8d&..x...k.q......."...4.6O$NE./.Fr.4.....V..$..v.2....X9.g.0.0;.,..$.5....9.O.:.;.0Gj..z.......+.B..........t.:F..YH(.Y..$......e...k......U.u..n._.3h..!..V...zC.......S+)..wVI.j....Y1F.....H.`DT=&di ....q~.]....r.._\9/.Bo..l..r5..N.{......E..'x0.PR!.o....].y|<.....G....2.A.y....3kL$../........@N.W]...Ls..5{X.dm.S7.J.N|.P.9..u.g.^...S....v7E..m.u.r.N+.c.....[...^G.@..."f......r\}'.r..<NG.......2..i{xR.A.._Z0$.....Ol.......ixY.....;.2T#.*..l.AR.G+].X...:.3.<.?....x.... ..%...]P.......1]`,.n..g.._.%..1z9I.....,.Y.7.T5.h.-..6'2NP.....s..p$.;U

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-82I6P.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1372592
                          Entropy (8bit):7.999861765609051
                          Encrypted:true
                          SSDEEP:24576:2kMb3vsiC+gx2uaeFPJSyOODttN98lqcaSe6IblRJRyfDcKNbSbm:2BLSjjTdOO/N981He66RJRADqm
                          MD5:13E2444DA7092C99CD5B7D74CAF035A3
                          SHA1:127F47FDBA8D8CCD5515AEF760DFFBBF4B8AE75F
                          SHA-256:9CFB0AE92EF977DA9735DB02DC5BC51053B329C0FC7E1592655C4494D20C097B
                          SHA-512:A6C9F4C85CBA1DF6C41AC03AA2F9076095B4A710FD344AE4C29A183B17947AC69A13293B6371B09EC937150DC0A5663B38A36E97F4621A172638EAFA001140F6
                          Malicious:false
                          Preview:.@S.....@...................=.z'........#.1=..GD.]KU......8~zzt>..,.D.{"..s...).L..FG}o...!x-..-.<b:..;..>.m(.fKj.I.'%.SKy$q...T.u....ohCy.h.?c....P"G.~..~v...9....@.<aK...~9cD7..O...M..u%F..nN^...vq}/..A.B....$fV..lpjX.=d....i..=..u...p..a.N.Fv.wk..Y..^........$...l.a...+.V.-.y..Jm......*..V..AI.j..8.#......i..n...EpZ...(.)...v..>.El.(F..?...._.. ......^J.....F(.....U.`."'-.."?.$.`0.L:..*.!.....B.RE8d&..x...k.q......."...4.6O$NE./.Fr.4.....V..$..v.2....X9.g.0.0;.,..$.5....9.O.:.;.0Gj..z.......+.B..........t.:F..YH(.Y..$......e...k......U.u..n._.3h..!..V...zC.......S+)..wVI.j....Y1F.....H.`DT=&di ....q~.]....r.._\9/.Bo..l..r5..N.{......E..'x0.PR!.o....].y|<.....G....2.A.y....3kL$../........@N.W]...Ls..5{X.dm.S7.J.N|.P.9..u.g.^...S....v7E..m.u.r.N+.c.....[...^G.@..."f......r\}'.r..<NG.......2..i{xR.A.._Z0$.....Ol.......ixY.....;.2T#.*..l.AR.G+].X...:.3.<.?....x.... ..%...]P.......1]`,.n..g.._.%..1z9I.....,.Y.7.T5.h.-..6'2NP.....s..p$.;U

                          C:\Program Files (x86)\Windows NT\is-LCL3P.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:DOS executable (COM, 0x8C-variant)
                          Category:dropped
                          Size (bytes):1122527
                          Entropy (8bit):7.999876279585022
                          Encrypted:true
                          SSDEEP:24576:dlXGATpPsSoQPBKfqOMpMPpEuO/GoVuLr1JJLqbNGt:vWATtsniOC5xqINGt
                          MD5:B3AD8FA0868DACAD08D5437F30AC2FA1
                          SHA1:FD04617E2774C1C6CF2606CFA67E0AB1E3AF51E5
                          SHA-256:CC7BA22A1B12BC01EFA6EB6BB36BD78217D639BB1DA81DA49B2D19791B05C97E
                          SHA-512:699420BAFA2ED1EC0C4ED5F375EABBF74AAB13E068926C498F09252AD89674875A1F079AA014E1E2E2B78850A81766875F98E79D036904E6380F38BA96976091
                          Malicious:true
                          Preview:...i/=.@..<.......K.....<.`y......M...$.4..u.3.1...../q.......dW....F**.....P..3.......x.s.bc2O..:?.F.Y...WWW...*..W..x%i...^.P.9.....e.......@w.&.U....+..6.H...>...0..6T....Dc.R.p.t.....Z..2n.F)./.|.57.....nF.B.v-f.7..$..F.?...N..)z....Dwe`...Y....z.!.F...S;..g..G...V'.~n+.ba.Y.g.....z.i..L"l....o.z....sF%E...*.......x.U.N....-.R~...,.T.Si.`-.&y[..D.N....w?......I.."......6N.....C.u.cd./.}.x...I......g.m\..h.:.Q...B.....WG2.`..4Z.......b.....M.o...u.$<V.p..k.....Y.[$Uj..X.....u.pVq.-9...-..f(....(+.<..2.<..x....._jp..O.Y...P*..7.*.C..Dyf..TD...sZC.L.|.B..V.a......... ...Dl..oE...~.3@<..:m0.....\:.f.r.B6.3..........g5._.^....Z.llF.....$...X.E6.Xe)...]v\....HM.............\P01c..%5y.+..W..YF..E>.p O..Y...w?..J..<....... ).U...j.%#3...Cv.>./.nA..b......'..a{|.....!..=........".w3U...e........l+.A}.I.n9TL....`..m.).CX....pl.]/.q[+....'..a..c...>u..E..Z....Q....A.W.....2.N......]..&.;..^8.$...C...eh....g..l.........U...FR..dQ|-..P.f.

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56530
                          Entropy (8bit):7.997218177041297
                          Encrypted:true
                          SSDEEP:768:bFT8dTObt1UzruZjpqVnCUjSzTi1AbkiaQXFQo5POZZJDkFLYTELoETZt6IhO5U:xKKt1U+uHjSzTi17QXfm/gF2ETA5U
                          MD5:34186AA3062BA60A4C997F9C1004A570
                          SHA1:450376B4EAC800CA98B7B0F06AD93DE4BF058A4F
                          SHA-256:3C911A027BA4EF1F78B2A48944303D73DBD1CD449EE0B388EA2146E05F6A5D6E
                          SHA-512:B5B4A6B65EF8C786A40E4A914A2ACB8036175F50D7B55CC68CF25F0C87F1C48E8ADE25755037A00579D583FEF23E1DB54D720348AD43E2CC36CE46EF2C6A1361
                          Malicious:false
                          Preview:.@S.....[.t| ..............)...a.E(.H1....l...U.|..W91CH...q...X.i.[..!..,e...HO<>.|.&<....Y.2....dz....2.GJq`m4...q.....^..=....~"..:d...(,...o6.#...2..9.z.......D.}.b..Q`nO.p..._.f...+...I...T...n.......#..+.}.9...g..!.%jwrEb.qE..C...U......n..l l.../.y.s....a.J<.}........i..r.u.q..F>_.......`....+........l..c6..ML.?u53..F...xD.&!I..I..*)...@.F.....J...LY.p(..s>j(..C.].zz....yi.......#UA..i.\9....V.. .Syl..aF.(..T...r|j...rJ..r!..~o..*.%..T.../...".OP....FSQb.n.....;Z.J].*.5...]..~.m.M3.lH...l.....8.\.'T[.t0....f.P.g........Z.(.@..P.....}.S.<X.G.[{..^...q..P.:.v..O..D..~y,R3.....Y]........}YH...8.v.'Hf.a.9...(....<1P.0..E~.?.H_N...g.w......OMs.z.,.......{CW...N.B..@"{...Qn..]...gD...+~..O&C.....Q.z...........M.js..R ........a.#.I......0.8A*.>$R....I..}.A...3......{8J.F._....)N2..8..6..3K..v ....i..Z.5..4....K#.<....#.Bn.$.._.".Az.X...e......./......e.6>..d!.v........7Xl..f\}.: ..j..D.,|......v.r.._$t....s..m...X.6.......%.

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56530
                          Entropy (8bit):7.997218177041301
                          Encrypted:true
                          SSDEEP:1536:5qt3xRyiDQT63RriabdPfa9P/NVhJ4HbFD3HrWL:5qX8AdiabdnaJlvJcbFDr0
                          MD5:B668EDD4A3E4F2F8CE3332FAAB1533E5
                          SHA1:0899B770D8FFD3816D5CC40D734B786BEAFC5FB0
                          SHA-256:64E6660AD0767803AE1FEB3B34913252EF4A0A6D81ACE914D7D763D66B17E444
                          SHA-512:F53F01A084BB3EE02E248DE539AC1484DD7EEDD4CA771724C766C7B0949559C3423C42FE6C5122930BD77FB76A77D033D733EBADFACE1C39C81C257985343FFE
                          Malicious:false
                          Preview:7z..'...............2........'.a.[..5L..A....u:1.*.......!K.w.7:7C.V.8N...p.s..e......A..P......."...5d...Jb...O........z.C.?.,.F.l.Q.....6..zjq...:..X..e0.,.._.U...g.y..\.y.......y;..6...&.{-2...(R..r...sk>I$.~..Bw{..i.u.W.._..J.i......E..R.}Yt....VJ.]n..*Y......<:"NN.5.._.ZV.cE..h.=...).......0fC....X.j..b.....!.P.....Rn........>....?..Hm..:..'D.B...5/.s'<.>......A...G\...d..K..+..]./..?P...V?.j..v.3.(...w...45....FF.:..J............Nk..Wo.$..R.GfP..KA.#..H;.G.....S.G.*.#.a....[......."..n..F...._.d.+T.v.X.G..-..4..7.)...PRzgh.z+3..t.j.?..gA..S.%.c..0.e.....s&4..K.y....C._w.c.}....P.|K.h.|".6...dM/.{....+.v.y...h........i...Vq.....R.6...;.i..A..Q.-.d/.....J...1.?..T(..BAn..,Z...jo...c|&.W...n- 3...GP.rB[@)2r/"]D...@..w...[n".U0:...H..Z.sb..-i#.......=.3...v..Ep....\...i..5.#R.{T....C$.l..e..,9..9.o.....}.y~.3)...m....".6....lE.;.8....f.gr/n.x...>...E....<.!.....T..rLM....F..Q....a..y..^.<.rS:1....Q..(`~d~.:B..'O.7...V3+sK.oL..

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):1372592
                          Entropy (8bit):7.999861765609055
                          Encrypted:true
                          SSDEEP:24576:RXC0Z1CE1cj75fLWLdnGXl5NToCVCKJandcOFA4pzFae0drtI8:NC0ytfUusCEKMnm4rJGrt7
                          MD5:C4F802091F7963ED5DE1360E7B79177B
                          SHA1:314320F5F9B1D26478D53D614460820F23E3F80A
                          SHA-256:9FB179273573C37A0155795E11CB301B193D4A6D26E9894CB6E324F27EAA91D6
                          SHA-512:C12610102BAC3C167A80E4E5C60FB23AB04A2266ADE87F72918B885E6EF5436984CEDEF508CEECFDDD22FD155F371BAE0A1207B1C8ABBEBF14DBE04161741460
                          Malicious:false
                          Preview:7z..'...4.].P.......@....... Sl.c..e.."Lk1HJL....ND......o...VH~.......2. ....Co..jj.^.\......k`..u*........a..7.............f.C. ..Z@R.....P.Y.<..l..Z.ul........~O./...a......G.N#v...,...g.....;.....x&.+...d'...........R......}0.5:/....#.D...t5.{..O..)...~o_.tE..g.X.g.k.H..P,Y..[.y`n...../.L..T.\.V.L.kY....u.....v......."....f..I..\..'..i.2..LLMJ....q..RV.. .t.....X...vN....C.....p.1...|E.....'#u.7.d.<......*'.7t.<.#\.....p....UX.jb.]%....;.1L@rF..C...\..X.G#{...f+tc@.0.:...j...%L.Ij.3`U=S...j..T....v..0.,SN.....$.. ?Z.V.n.....^i6."D..>....P.......J.F....#aGE^Z......#....hW.p.....X@y#.F.......EN6.....cj/5..d..../..|@.U-G..ZU....kvBZ..B..n.....S].R.....2FU2.--V]p.../...|......{f.eD.....S....=..s".....O..L....5Y....{.e.I.kM...p>2....J..e..)..+.B.N...AAg..M.h.z.D3.O#......#..0...*..-B?.0P.4.......u....d..>. ..."bo.d.....`P..;.*w..........i....@.[.}.j.C.Q-.........<L6T...a*@...V...5{.&F.gE.'....c0p..{.8.1. .O...B.k.I.v~....{Qb....w....

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.347034835751068
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnlL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlncwhldOVQOj6dKbKsz7
                          MD5:062A3AACBCFA04B7986F0AAB0F7767C0
                          SHA1:FD7A28C2D6B030B8E15622CEFFD824224F684973
                          SHA-256:F46F7F3F8B4763B62B3B2E02E24B0300E3AB741DD3770F93FCFE7D1A26B1C46D
                          SHA-512:9F0435883F31D801EFEC0A378473566F68CDD0DA9FBC36F2B431380D8E852E297891BD3AFC952E90CC5ED01C9041C79402FD774BFE98B036D73F9FDD65771B79
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:DOS executable (COM, 0x8C-variant)
                          Category:dropped
                          Size (bytes):1122527
                          Entropy (8bit):7.999876279585022
                          Encrypted:true
                          SSDEEP:24576:dlXGATpPsSoQPBKfqOMpMPpEuO/GoVuLr1JJLqbNGt:vWATtsniOC5xqINGt
                          MD5:B3AD8FA0868DACAD08D5437F30AC2FA1
                          SHA1:FD04617E2774C1C6CF2606CFA67E0AB1E3AF51E5
                          SHA-256:CC7BA22A1B12BC01EFA6EB6BB36BD78217D639BB1DA81DA49B2D19791B05C97E
                          SHA-512:699420BAFA2ED1EC0C4ED5F375EABBF74AAB13E068926C498F09252AD89674875A1F079AA014E1E2E2B78850A81766875F98E79D036904E6380F38BA96976091
                          Malicious:true
                          Preview:...i/=.@..<.......K.....<.`y......M...$.4..u.3.1...../q.......dW....F**.....P..3.......x.s.bc2O..:?.F.Y...WWW...*..W..x%i...^.P.9.....e.......@w.&.U....+..6.H...>...0..6T....Dc.R.p.t.....Z..2n.F)./.|.57.....nF.B.v-f.7..$..F.?...N..)z....Dwe`...Y....z.!.F...S;..g..G...V'.~n+.ba.Y.g.....z.i..L"l....o.z....sF%E...*.......x.U.N....-.R~...,.T.Si.`-.&y[..D.N....w?......I.."......6N.....C.u.cd./.}.x...I......g.m\..h.:.Q...B.....WG2.`..4Z.......b.....M.o...u.$<V.p..k.....Y.[$Uj..X.....u.pVq.-9...-..f(....(+.<..2.<..x....._jp..O.Y...P*..7.*.C..Dyf..TD...sZC.L.|.B..V.a......... ...Dl..oE...~.3@<..:m0.....\:.f.r.B6.3..........g5._.^....Z.llF.....$...X.E6.Xe)...]v\....HM.............\P01c..%5y.+..W..YF..E>.p O..Y...w?..J..<....... ).U...j.%#3...Cv.>./.nA..b......'..a{|.....!..=........".w3U...e........l+.A}.I.n9TL....`..m.).CX....pl.]/.q[+....'..a..c...>u..E..Z....Q....A.W.....2.N......]..&.;..^8.$...C...eh....g..l.........U...FR..dQ|-..P.f.

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:Nlllulzh8//h:NllUu
                          MD5:2D936C9957097D6631C64386010C648E
                          SHA1:AD0125A442F7BD53E9959CB996B58A685B09B85E
                          SHA-256:C93CB35DFCB4C1F5BD3B665C67D749E585887E56B9081D0E9FC47F54909E7119
                          SHA-512:27B07DBB385D27EF522ED09079877C6EBE9444FBE1E4401AF8BABB4B2EE4FC1CF7BC1A09B31A3A52ACA217B40E2B8207A5441D04F1C6D9A44C05E51C4D49E4AB
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tihxqqd.14m.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1go0df5.4k1.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhjs2v43.l0b.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqsxrtro.zqx.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564693555266
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:5F1FEB7EA510D8FB9A35D5802519EBDB
                          SHA1:76DFFF4701B450FDB9F1636C813CED8A2597C393
                          SHA-256:478B5ED05CCC5C8760F4F9F8E9A805C0533166EC4C6068DD072EFCB3B83AD914
                          SHA-512:86113DA5A1F402E3ECEA30BD21B6DBECFE2FC128206D622683EC5FA0B0D3E7106E9FF59B42268C8D159F7C7A26CB87C0C20CFF3B8388D8EC5F9F5A49C24A6BEC
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530564693555266
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:5F1FEB7EA510D8FB9A35D5802519EBDB
                          SHA1:76DFFF4701B450FDB9F1636C813CED8A2597C393
                          SHA-256:478B5ED05CCC5C8760F4F9F8E9A805C0533166EC4C6068DD072EFCB3B83AD914
                          SHA-512:86113DA5A1F402E3ECEA30BD21B6DBECFE2FC128206D622683EC5FA0B0D3E7106E9FF59B42268C8D159F7C7A26CB87C0C20CFF3B8388D8EC5F9F5A49C24A6BEC
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-L5HRU.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-TUS1K.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.929735641736926
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U52a9#U624b2.0.4.exe
                          File size:6'130'073 bytes
                          MD5:824d18101868c00261fd732e2e713fa6
                          SHA1:04df8109561e9a1aed04fa7ed7d4b3c931bde5c7
                          SHA256:2e5c530decd37133e50f6b149f634973e54cf555abcb309e829a3e8dcd223724
                          SHA512:e46b38c9686166825c2b9c181dd6367d71dd43efc1cd6787365b31efbd3d30485bb9af4309ef6282944012c4e13deaafb5615b05ee51696a5e5e4591b1f6997b
                          SSDEEP:98304:XwREyCzROurNY2vz6L0BKz3tuUqNCP3vqUN/0HQL1mdruCXTTYE/t9+dMwZg6:lykdrNYu6QBKxONOvqUNn1UuusE/t9kn
                          TLSH:A3561222F2C7E03EE05D0B3706B2A55494FB6A256923AE5796ECB4ECCF350601D3E257
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F78210114B5h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F78210A2E3Bh
                          call 00007F78210A298Eh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F782109D668h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F782100B563h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F782109E993h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F78210A2EC3h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F78210A9BAAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F782109F288h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x1100083b103c4b8d25647aa6c77f46a91d41cFalse0.18768669577205882data3.722817808854048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:13:09
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
                          Imagebase:0x1e0000
                          File size:6'130'073 bytes
                          MD5 hash:824D18101868C00261FD732E2E713FA6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:07:13:09
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-HATNU.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1046E,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
                          Imagebase:0xdd0000
                          File size:3'366'912 bytes
                          MD5 hash:5F1FEB7EA510D8FB9A35D5802519EBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:3
                          Start time:07:13:10
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff6cb6b0000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:07:13:10
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:07:13:16
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff605670000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:6
                          Start time:07:13:18
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
                          Imagebase:0x1e0000
                          File size:6'130'073 bytes
                          MD5 hash:824D18101868C00261FD732E2E713FA6
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:7
                          Start time:07:13:19
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-B0P2L.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$50484,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
                          Imagebase:0x20000
                          File size:3'366'912 bytes
                          MD5 hash:5F1FEB7EA510D8FB9A35D5802519EBDB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:07:13:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:07:13:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:07:13:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:07:13:21
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0xe0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          Has exited:true

                          General

                          Target ID:12
                          Start time:07:13:21
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:07:13:22
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0xe0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:07:13:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:07:13:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:07:13:22
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:07:13:23
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:07:13:24
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x490000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:07:13:25
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:07:13:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff760b60000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6ee680000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:07:13:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff68fab0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:266
                          Start time:07:13:34
                          Start date:24/12/2024
                          Path:C:\Windows\System32\Conhost.exe
                          Wow64 process (32bit):
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:
                          Has administrator privileges:
                          Programmed in:C, C++ or other language
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2.3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:15.4%
                            Total number of Nodes:787
                            Total number of Limit Nodes:13
                            execution_graph 66093 6c264a27 66095 6c264a5d _strlen 66093->66095 66094 6c27639e 66223 6c3e06a0 18 API calls 2 library calls 66094->66223 66095->66094 66096 6c265b6f 66095->66096 66097 6c265b58 66095->66097 66101 6c265b09 _Yarn 66095->66101 66098 6c3d6fb3 std::_Facet_Register 4 API calls 66096->66098 66209 6c3d6fb3 66097->66209 66098->66101 66184 6c3cb430 66101->66184 66104 6c265bad std::ios_base::_Ios_base_dtor 66104->66094 66107 6c269ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66104->66107 66188 6c3d5560 CreateProcessA 66104->66188 66105 6c3d6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66105->66107 66106 6c3cb430 FindFirstFileA 66106->66107 66107->66094 66107->66105 66107->66106 66108 6c26a292 Sleep 66107->66108 66127 6c26e619 66107->66127 66174 6c269bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66108->66174 66109 6c266624 66111 6c3d6fb3 std::_Facet_Register 4 API calls 66109->66111 66110 6c26660d 66112 6c3d6fb3 std::_Facet_Register 4 API calls 66110->66112 66119 6c2665bc _Yarn _strlen 66111->66119 66112->66119 66113 6c2661cb _strlen 66113->66094 66113->66109 66113->66110 66113->66119 66114 6c3d5560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66114->66174 66115 6c269bbd GetCurrentProcess TerminateProcess 66115->66107 66116 6c2763b2 66224 6c2515e0 18 API calls std::ios_base::_Ios_base_dtor 66116->66224 66118 6c2764f8 66119->66116 66120 6c266970 66119->66120 66121 6c266989 66119->66121 66124 6c266920 _Yarn 66119->66124 66122 6c3d6fb3 std::_Facet_Register 4 API calls 66120->66122 66123 6c3d6fb3 std::_Facet_Register 4 API calls 66121->66123 66122->66124 66123->66124 66192 6c3d5ed0 66124->66192 66126 6c26f243 CreateFileA 66139 6c26f2a7 66126->66139 66127->66126 66128 6c2669d6 std::ios_base::_Ios_base_dtor _strlen 66128->66094 66129 6c266dd2 66128->66129 66130 6c266dbb 66128->66130 66142 6c266d69 _Yarn _strlen 66128->66142 66133 6c3d6fb3 std::_Facet_Register 4 API calls 66129->66133 66132 6c3d6fb3 std::_Facet_Register 4 API calls 66130->66132 66131 6c2702ca 66132->66142 66133->66142 66134 6c267427 66136 6c3d6fb3 std::_Facet_Register 4 API calls 66134->66136 66135 6c267440 66137 6c3d6fb3 std::_Facet_Register 4 API calls 66135->66137 66138 6c2673da _Yarn 66136->66138 66137->66138 66140 6c3d5ed0 104 API calls 66138->66140 66139->66131 66141 6c2702ac GetCurrentProcess TerminateProcess 66139->66141 66143 6c26748d std::ios_base::_Ios_base_dtor _strlen 66140->66143 66141->66131 66142->66116 66142->66134 66142->66135 66142->66138 66143->66094 66144 6c267991 66143->66144 66145 6c2679a8 66143->66145 66149 6c267940 _Yarn _strlen 66143->66149 66147 6c3d6fb3 std::_Facet_Register 4 API calls 66144->66147 66146 6c3d6fb3 std::_Facet_Register 4 API calls 66145->66146 66146->66149 66147->66149 66148 6c3d5ed0 104 API calls 66148->66174 66149->66116 66150 6c267de2 66149->66150 66151 6c267dc9 66149->66151 66154 6c267d7c _Yarn 66149->66154 66153 6c3d6fb3 std::_Facet_Register 4 API calls 66150->66153 66152 6c3d6fb3 std::_Facet_Register 4 API calls 66151->66152 66152->66154 66153->66154 66155 6c3d5ed0 104 API calls 66154->66155 66156 6c267e2f std::ios_base::_Ios_base_dtor _strlen 66155->66156 66156->66094 66157 6c2685bf 66156->66157 66158 6c2685a8 66156->66158 66165 6c268556 _Yarn _strlen 66156->66165 66160 6c3d6fb3 std::_Facet_Register 4 API calls 66157->66160 66159 6c3d6fb3 std::_Facet_Register 4 API calls 66158->66159 66159->66165 66160->66165 66161 6c268983 66164 6c3d6fb3 std::_Facet_Register 4 API calls 66161->66164 66162 6c26896a 66163 6c3d6fb3 std::_Facet_Register 4 API calls 66162->66163 66166 6c26891d _Yarn 66163->66166 66164->66166 66165->66116 66165->66161 66165->66162 66165->66166 66167 6c3d5ed0 104 API calls 66166->66167 66171 6c2689d0 std::ios_base::_Ios_base_dtor _strlen 66167->66171 66168 6c3d6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66168->66174 66169 6c268f36 66173 6c3d6fb3 std::_Facet_Register 4 API calls 66169->66173 66170 6c268f1f 66172 6c3d6fb3 std::_Facet_Register 4 API calls 66170->66172 66171->66094 66171->66169 66171->66170 66175 6c268ecd _Yarn _strlen 66171->66175 66172->66175 66173->66175 66174->66094 66174->66107 66174->66114 66174->66115 66174->66116 66174->66148 66174->66168 66175->66116 66176 6c269354 66175->66176 66177 6c26936d 66175->66177 66180 6c269307 _Yarn 66175->66180 66178 6c3d6fb3 std::_Facet_Register 4 API calls 66176->66178 66179 6c3d6fb3 std::_Facet_Register 4 API calls 66177->66179 66178->66180 66179->66180 66181 6c3d5ed0 104 API calls 66180->66181 66182 6c2693ba std::ios_base::_Ios_base_dtor 66181->66182 66182->66094 66183 6c3d5560 4 API calls 66182->66183 66183->66107 66185 6c3cb444 66184->66185 66186 6c3cb446 FindFirstFileA 66184->66186 66185->66186 66187 6c3cb480 66186->66187 66187->66104 66189 6c3d563a 66188->66189 66190 6c3d55f0 WaitForSingleObject CloseHandle CloseHandle 66189->66190 66191 6c3d5653 66189->66191 66190->66189 66191->66113 66193 6c3d5f27 66192->66193 66225 6c3d6560 66193->66225 66195 6c3d5f38 66244 6c276ba0 66195->66244 66198 6c3d600f std::ios_base::_Ios_base_dtor 66200 6c29e010 67 API calls 66198->66200 66206 6c3d6052 std::ios_base::_Ios_base_dtor 66200->66206 66201 6c3d5f5c 66202 6c3d5fc4 66201->66202 66208 6c3d5fd7 66201->66208 66263 6c3d68b0 66201->66263 66271 6c2b2370 66201->66271 66281 6c3d6100 66202->66281 66205 6c3d5fcc 66302 6c277090 66205->66302 66206->66128 66296 6c29e010 66208->66296 66210 6c3d6fb8 66209->66210 66211 6c3d6fd2 66210->66211 66214 6c3d6fd4 std::_Facet_Register 66210->66214 66761 6c3df584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66210->66761 66211->66101 66213 6c3d7e33 std::_Facet_Register 66765 6c3d98e9 RaiseException 66213->66765 66214->66213 66762 6c3d98e9 RaiseException 66214->66762 66216 6c3d862c IsProcessorFeaturePresent 66222 6c3d8651 66216->66222 66218 6c3d7df3 66763 6c3d98e9 RaiseException 66218->66763 66220 6c3d7e13 std::invalid_argument::invalid_argument 66764 6c3d98e9 RaiseException 66220->66764 66222->66101 66224->66118 66226 6c3d6595 66225->66226 66315 6c2a2020 66226->66315 66228 6c3d6636 66229 6c3d6fb3 std::_Facet_Register 4 API calls 66228->66229 66230 6c3d666e 66229->66230 66332 6c3d7897 66230->66332 66232 6c3d6682 66344 6c2a1d90 66232->66344 66235 6c3d675c 66235->66195 66237 6c3d6796 66352 6c2a26e0 24 API calls 4 library calls 66237->66352 66239 6c3d67a8 66353 6c3d98e9 RaiseException 66239->66353 66241 6c3d67bd 66242 6c29e010 67 API calls 66241->66242 66243 6c3d67cf 66242->66243 66243->66195 66245 6c276bd5 66244->66245 66246 6c2a2020 52 API calls 66245->66246 66247 6c276c68 66246->66247 66248 6c3d6fb3 std::_Facet_Register 4 API calls 66247->66248 66249 6c276ca0 66248->66249 66250 6c3d7897 43 API calls 66249->66250 66251 6c276cb4 66250->66251 66252 6c2a1d90 89 API calls 66251->66252 66253 6c276d5d 66252->66253 66254 6c276d8e 66253->66254 66663 6c2a2250 30 API calls 66253->66663 66254->66201 66256 6c276dc8 66664 6c2a26e0 24 API calls 4 library calls 66256->66664 66258 6c276dda 66665 6c3d98e9 RaiseException 66258->66665 66260 6c276def 66261 6c29e010 67 API calls 66260->66261 66262 6c276e0f 66261->66262 66262->66201 66264 6c3d68fd 66263->66264 66666 6c3d6b10 66264->66666 66266 6c3d69ec 66266->66201 66269 6c3d6915 66269->66266 66684 6c2a2250 30 API calls 66269->66684 66685 6c2a26e0 24 API calls 4 library calls 66269->66685 66686 6c3d98e9 RaiseException 66269->66686 66272 6c2b23af 66271->66272 66275 6c2b23c3 66272->66275 66695 6c2a3560 32 API calls std::_Xinvalid_argument 66272->66695 66277 6c2b247e 66275->66277 66697 6c2a2250 30 API calls 66275->66697 66698 6c2a26e0 24 API calls 4 library calls 66275->66698 66699 6c3d98e9 RaiseException 66275->66699 66278 6c2b2491 66277->66278 66696 6c2a37e0 32 API calls std::_Xinvalid_argument 66277->66696 66278->66201 66282 6c3d610e 66281->66282 66286 6c3d6141 66281->66286 66700 6c2a01f0 66282->66700 66284 6c3d61f3 66284->66205 66286->66284 66704 6c2a2250 30 API calls 66286->66704 66287 6c3e1088 67 API calls 66287->66286 66289 6c3d621e 66705 6c2a2340 24 API calls 66289->66705 66291 6c3d622e 66706 6c3d98e9 RaiseException 66291->66706 66293 6c3d6239 66294 6c29e010 67 API calls 66293->66294 66295 6c3d6292 std::ios_base::_Ios_base_dtor 66294->66295 66295->66205 66297 6c29e04b 66296->66297 66298 6c2a01f0 64 API calls 66297->66298 66299 6c29e0a3 66297->66299 66300 6c29e098 66298->66300 66299->66198 66301 6c3e1088 67 API calls 66300->66301 66301->66299 66303 6c27709e 66302->66303 66306 6c2770d1 66302->66306 66304 6c2a01f0 64 API calls 66303->66304 66307 6c2770c4 66304->66307 66305 6c277183 66305->66208 66306->66305 66758 6c2a2250 30 API calls 66306->66758 66308 6c3e1088 67 API calls 66307->66308 66308->66306 66310 6c2771ae 66759 6c2a2340 24 API calls 66310->66759 66312 6c2771be 66760 6c3d98e9 RaiseException 66312->66760 66314 6c2771c9 66316 6c3d6fb3 std::_Facet_Register 4 API calls 66315->66316 66317 6c2a207e 66316->66317 66318 6c3d7897 43 API calls 66317->66318 66319 6c2a2092 66318->66319 66354 6c2a2f60 42 API calls 4 library calls 66319->66354 66321 6c2a20c8 66322 6c2a210d 66321->66322 66323 6c2a2136 66321->66323 66324 6c2a2120 66322->66324 66355 6c3d74fe 9 API calls 2 library calls 66322->66355 66356 6c2a2250 30 API calls 66323->66356 66324->66228 66327 6c2a215b 66357 6c2a2340 24 API calls 66327->66357 66329 6c2a2171 66358 6c3d98e9 RaiseException 66329->66358 66331 6c2a217c 66331->66228 66333 6c3d78a3 __EH_prolog3 66332->66333 66359 6c3d7425 66333->66359 66338 6c3d78c1 66373 6c3d792a 39 API calls std::locale::_Setgloballocale 66338->66373 66340 6c3d78df 66365 6c3d7456 66340->66365 66341 6c3d791c 66341->66232 66342 6c3d78c9 66374 6c3d7721 HeapFree GetLastError _Yarn 66342->66374 66345 6c2a1ddc 66344->66345 66346 6c2a1dc7 66344->66346 66379 6c3d79b7 66345->66379 66346->66235 66351 6c2a2250 30 API calls 66346->66351 66350 6c2a1e82 66351->66237 66352->66239 66353->66241 66354->66321 66355->66324 66356->66327 66357->66329 66358->66331 66360 6c3d743b 66359->66360 66361 6c3d7434 66359->66361 66364 6c3d7439 66360->66364 66376 6c3d8afb EnterCriticalSection 66360->66376 66375 6c3e093d 6 API calls std::_Lockit::_Lockit 66361->66375 66364->66340 66372 6c3d77a0 6 API calls 2 library calls 66364->66372 66366 6c3e094b 66365->66366 66367 6c3d7460 66365->66367 66378 6c3e0926 LeaveCriticalSection 66366->66378 66369 6c3d7473 66367->66369 66377 6c3d8b09 LeaveCriticalSection 66367->66377 66369->66341 66371 6c3e0952 66371->66341 66372->66338 66373->66342 66374->66340 66375->66364 66376->66364 66377->66369 66378->66371 66380 6c3d79c0 66379->66380 66382 6c2a1dea 66380->66382 66388 6c3e02ba 66380->66388 66382->66346 66387 6c3dcad3 18 API calls __wsopen_s 66382->66387 66383 6c3d7a0c 66383->66382 66399 6c3dffc8 65 API calls 66383->66399 66385 6c3d7a27 66385->66382 66400 6c3e1088 66385->66400 66387->66350 66389 6c3e02c5 __wsopen_s 66388->66389 66390 6c3e02d8 66389->66390 66391 6c3e02f8 66389->66391 66425 6c3e0690 18 API calls __wsopen_s 66390->66425 66395 6c3e02e8 66391->66395 66411 6c3eb37c 66391->66411 66395->66383 66399->66385 66401 6c3e1094 __wsopen_s 66400->66401 66402 6c3e109e 66401->66402 66403 6c3e10b3 66401->66403 66549 6c3e0690 18 API calls __wsopen_s 66402->66549 66407 6c3e10ae 66403->66407 66534 6c3dcb19 EnterCriticalSection 66403->66534 66406 6c3e10d0 66535 6c3e110c 66406->66535 66407->66382 66409 6c3e10db 66550 6c3e1102 LeaveCriticalSection 66409->66550 66412 6c3eb388 __wsopen_s 66411->66412 66427 6c3e090f EnterCriticalSection 66412->66427 66414 6c3eb396 66428 6c3eb420 66414->66428 66419 6c3eb4e2 66420 6c3eb601 66419->66420 66452 6c3eb684 66420->66452 66423 6c3e033c 66426 6c3e0365 LeaveCriticalSection 66423->66426 66425->66395 66426->66395 66427->66414 66436 6c3eb443 66428->66436 66429 6c3eb3a3 66442 6c3eb3dc 66429->66442 66430 6c3eb49b 66447 6c3e7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66430->66447 66432 6c3eb4a4 66448 6c3e4d2b HeapFree GetLastError _free 66432->66448 66435 6c3eb4ad 66435->66429 66449 6c3e718f 6 API calls std::_Lockit::_Lockit 66435->66449 66436->66429 66436->66430 66436->66436 66445 6c3dcb19 EnterCriticalSection 66436->66445 66446 6c3dcb2d LeaveCriticalSection 66436->66446 66439 6c3eb4cc 66450 6c3dcb19 EnterCriticalSection 66439->66450 66441 6c3eb4df 66441->66429 66451 6c3e0926 LeaveCriticalSection 66442->66451 66444 6c3e0313 66444->66395 66444->66419 66445->66436 66446->66436 66447->66432 66448->66435 66449->66439 66450->66441 66451->66444 66453 6c3eb6a3 66452->66453 66454 6c3eb6b6 66453->66454 66458 6c3eb6cb 66453->66458 66468 6c3e0690 18 API calls __wsopen_s 66454->66468 66456 6c3eb617 66456->66423 66465 6c3f454e 66456->66465 66458->66458 66461 6c3eb7eb 66458->66461 66469 6c3f4418 37 API calls __wsopen_s 66458->66469 66460 6c3eb83b 66460->66461 66470 6c3f4418 37 API calls __wsopen_s 66460->66470 66461->66456 66472 6c3e0690 18 API calls __wsopen_s 66461->66472 66463 6c3eb859 66463->66461 66471 6c3f4418 37 API calls __wsopen_s 66463->66471 66473 6c3f4906 66465->66473 66468->66456 66469->66460 66470->66463 66471->66461 66472->66456 66475 6c3f4912 __wsopen_s 66473->66475 66474 6c3f4919 66491 6c3e0690 18 API calls __wsopen_s 66474->66491 66475->66474 66476 6c3f4944 66475->66476 66482 6c3f456e 66476->66482 66481 6c3f4569 66481->66423 66493 6c3e0c3b 66482->66493 66487 6c3f45a4 66489 6c3f45d6 66487->66489 66533 6c3e4d2b HeapFree GetLastError _free 66487->66533 66492 6c3f499b LeaveCriticalSection __wsopen_s 66489->66492 66491->66481 66492->66481 66494 6c3dc25b __fassign 37 API calls 66493->66494 66495 6c3e0c4d 66494->66495 66496 6c3e0c5f 66495->66496 66497 6c3e6f45 __wsopen_s 5 API calls 66495->66497 66498 6c3dc366 66496->66498 66497->66496 66499 6c3dc3be __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 66498->66499 66500 6c3dc37e 66499->66500 66500->66487 66501 6c3f45dc 66500->66501 66502 6c3f4a5c __wsopen_s 18 API calls 66501->66502 66503 6c3f45f9 66502->66503 66504 6c3f1b7c __wsopen_s 14 API calls 66503->66504 66507 6c3f460e __dosmaperr 66503->66507 66505 6c3f462c 66504->66505 66506 6c3f49c7 __wsopen_s CreateFileW 66505->66506 66505->66507 66513 6c3f4685 66506->66513 66507->66487 66508 6c3f4702 GetFileType 66509 6c3f470d GetLastError 66508->66509 66510 6c3f4754 66508->66510 66512 6c3dff62 __dosmaperr 66509->66512 66516 6c3f1d20 __wsopen_s SetStdHandle 66510->66516 66511 6c3f46d7 GetLastError 66511->66507 66514 6c3f471b CloseHandle 66512->66514 66513->66508 66513->66511 66515 6c3f49c7 __wsopen_s CreateFileW 66513->66515 66514->66507 66529 6c3f4744 66514->66529 66517 6c3f46ca 66515->66517 66518 6c3f4775 66516->66518 66517->66508 66517->66511 66519 6c3f47c1 66518->66519 66520 6c3f4bd6 __wsopen_s 70 API calls 66518->66520 66521 6c3f4c80 __wsopen_s 70 API calls 66519->66521 66523 6c3f47c8 66519->66523 66520->66519 66522 6c3f47f6 66521->66522 66522->66523 66524 6c3f4804 66522->66524 66525 6c3ebe95 __wsopen_s 21 API calls 66523->66525 66524->66507 66526 6c3f4880 CloseHandle 66524->66526 66525->66507 66527 6c3f49c7 __wsopen_s CreateFileW 66526->66527 66528 6c3f48ab 66527->66528 66528->66529 66530 6c3f48b5 GetLastError 66528->66530 66529->66507 66531 6c3f48c1 __dosmaperr 66530->66531 66532 6c3f1c8f __wsopen_s SetStdHandle 66531->66532 66532->66529 66533->66489 66534->66406 66536 6c3e112e 66535->66536 66537 6c3e1119 66535->66537 66541 6c3e1129 66536->66541 66551 6c3e1229 66536->66551 66573 6c3e0690 18 API calls __wsopen_s 66537->66573 66541->66409 66545 6c3e1151 66566 6c3ebe08 66545->66566 66547 6c3e1157 66547->66541 66574 6c3e4d2b HeapFree GetLastError _free 66547->66574 66549->66407 66550->66407 66552 6c3e1241 66551->66552 66556 6c3e1143 66551->66556 66553 6c3ea1d0 18 API calls 66552->66553 66552->66556 66554 6c3e125f 66553->66554 66575 6c3ec0dc 66554->66575 66557 6c3e8cae 66556->66557 66558 6c3e114b 66557->66558 66559 6c3e8cc5 66557->66559 66561 6c3ea1d0 66558->66561 66559->66558 66631 6c3e4d2b HeapFree GetLastError _free 66559->66631 66562 6c3ea1dc 66561->66562 66563 6c3ea1f1 66561->66563 66632 6c3e0690 18 API calls __wsopen_s 66562->66632 66563->66545 66565 6c3ea1ec 66565->66545 66567 6c3ebe2e 66566->66567 66571 6c3ebe19 __dosmaperr 66566->66571 66568 6c3ebe55 66567->66568 66570 6c3ebe77 __dosmaperr 66567->66570 66633 6c3ebf31 66568->66633 66641 6c3e0690 18 API calls __wsopen_s 66570->66641 66571->66547 66573->66541 66574->66541 66576 6c3ec0e8 __wsopen_s 66575->66576 66577 6c3ec13a 66576->66577 66578 6c3ec1a3 __dosmaperr 66576->66578 66581 6c3ec0f0 __dosmaperr 66576->66581 66586 6c3f1f00 EnterCriticalSection 66577->66586 66616 6c3e0690 18 API calls __wsopen_s 66578->66616 66580 6c3ec140 66584 6c3ec15c __dosmaperr 66580->66584 66587 6c3ec1ce 66580->66587 66581->66556 66615 6c3ec19b LeaveCriticalSection __wsopen_s 66584->66615 66586->66580 66588 6c3ec1f0 66587->66588 66614 6c3ec20c __dosmaperr 66587->66614 66589 6c3ec244 66588->66589 66591 6c3ec1f4 __dosmaperr 66588->66591 66590 6c3ec257 66589->66590 66625 6c3eb1d9 20 API calls __wsopen_s 66589->66625 66617 6c3ec3b0 66590->66617 66624 6c3e0690 18 API calls __wsopen_s 66591->66624 66596 6c3ec2ac 66598 6c3ec305 WriteFile 66596->66598 66599 6c3ec2c0 66596->66599 66597 6c3ec26d 66600 6c3ec296 66597->66600 66601 6c3ec271 66597->66601 66602 6c3ec329 GetLastError 66598->66602 66598->66614 66604 6c3ec2cb 66599->66604 66605 6c3ec2f5 66599->66605 66627 6c3ec421 43 API calls 5 library calls 66600->66627 66601->66614 66626 6c3ec7cb 6 API calls __wsopen_s 66601->66626 66602->66614 66606 6c3ec2e5 66604->66606 66607 6c3ec2d0 66604->66607 66630 6c3ec833 7 API calls 2 library calls 66605->66630 66629 6c3ec9f7 8 API calls 3 library calls 66606->66629 66610 6c3ec2d5 66607->66610 66607->66614 66628 6c3ec90e 7 API calls 2 library calls 66610->66628 66612 6c3ec2e3 66612->66614 66614->66584 66615->66581 66616->66581 66618 6c3f1f55 __wsopen_s 18 API calls 66617->66618 66619 6c3ec3c1 66618->66619 66620 6c3ec268 66619->66620 66621 6c3e4f22 __Getctype 37 API calls 66619->66621 66620->66596 66620->66597 66622 6c3ec3e4 66621->66622 66622->66620 66623 6c3ec3fe GetConsoleMode 66622->66623 66623->66620 66624->66614 66625->66590 66626->66614 66627->66614 66628->66612 66629->66612 66630->66612 66631->66558 66632->66565 66634 6c3ebf3d __wsopen_s 66633->66634 66642 6c3f1f00 EnterCriticalSection 66634->66642 66636 6c3ebf4b 66638 6c3ebf78 66636->66638 66643 6c3ebe95 66636->66643 66656 6c3ebfb1 LeaveCriticalSection __wsopen_s 66638->66656 66640 6c3ebf9a 66640->66571 66641->66571 66642->66636 66657 6c3f1b12 66643->66657 66645 6c3ebeab 66662 6c3f1c8f SetStdHandle __dosmaperr __wsopen_s 66645->66662 66647 6c3ebea5 66647->66645 66648 6c3ebedd 66647->66648 66649 6c3f1b12 __wsopen_s 18 API calls 66647->66649 66648->66645 66650 6c3f1b12 __wsopen_s 18 API calls 66648->66650 66651 6c3ebed4 66649->66651 66652 6c3ebee9 CloseHandle 66650->66652 66653 6c3f1b12 __wsopen_s 18 API calls 66651->66653 66652->66645 66654 6c3ebef5 GetLastError 66652->66654 66653->66648 66654->66645 66655 6c3ebf03 __dosmaperr 66655->66638 66656->66640 66658 6c3f1b1f __dosmaperr 66657->66658 66660 6c3f1b34 __dosmaperr 66657->66660 66658->66647 66659 6c3f1b59 66659->66647 66660->66659 66661 6c3e0690 __wsopen_s 18 API calls 66660->66661 66661->66658 66662->66655 66663->66256 66664->66258 66665->66260 66667 6c3d6b4c 66666->66667 66668 6c3d6b78 66666->66668 66682 6c3d6b71 66667->66682 66689 6c2a2250 30 API calls 66667->66689 66674 6c3d6b89 66668->66674 66687 6c2a3560 32 API calls std::_Xinvalid_argument 66668->66687 66671 6c3d6d58 66690 6c2a2340 24 API calls 66671->66690 66673 6c3d6d67 66691 6c3d98e9 RaiseException 66673->66691 66674->66682 66688 6c2a2f60 42 API calls 4 library calls 66674->66688 66678 6c3d6d97 66693 6c2a2340 24 API calls 66678->66693 66680 6c3d6dad 66694 6c3d98e9 RaiseException 66680->66694 66682->66269 66683 6c3d6bc3 66683->66682 66692 6c2a2250 30 API calls 66683->66692 66684->66269 66685->66269 66686->66269 66687->66674 66688->66683 66689->66671 66690->66673 66691->66683 66692->66678 66693->66680 66694->66682 66695->66275 66696->66278 66697->66275 66698->66275 66699->66275 66701 6c2a022e 66700->66701 66702 6c2a04d6 66701->66702 66707 6c3e1d4b 66701->66707 66702->66287 66704->66289 66705->66291 66706->66293 66708 6c3e1d59 66707->66708 66709 6c3e1d76 66707->66709 66708->66709 66710 6c3e1d7a 66708->66710 66712 6c3e1d66 66708->66712 66709->66701 66715 6c3e1f72 66710->66715 66723 6c3e0690 18 API calls __wsopen_s 66712->66723 66716 6c3e1f7e __wsopen_s 66715->66716 66724 6c3dcb19 EnterCriticalSection 66716->66724 66718 6c3e1f8c 66725 6c3e1f2f 66718->66725 66722 6c3e1dac 66722->66701 66723->66709 66724->66718 66733 6c3e8b16 66725->66733 66731 6c3e1f69 66732 6c3e1fc1 LeaveCriticalSection 66731->66732 66732->66722 66734 6c3ea1d0 18 API calls 66733->66734 66735 6c3e8b27 66734->66735 66750 6c3f1f55 66735->66750 66737 6c3e1f43 66740 6c3e1dae 66737->66740 66738 6c3e8b2d __wsopen_s 66738->66737 66755 6c3e4d2b HeapFree GetLastError _free 66738->66755 66742 6c3e1dc0 66740->66742 66744 6c3e1dde 66740->66744 66741 6c3e1dce 66757 6c3e0690 18 API calls __wsopen_s 66741->66757 66742->66741 66742->66744 66747 6c3e1df6 _Yarn 66742->66747 66749 6c3e8bc9 62 API calls 66744->66749 66745 6c3e1229 62 API calls 66745->66747 66746 6c3ea1d0 18 API calls 66746->66747 66747->66744 66747->66745 66747->66746 66748 6c3ec0dc __wsopen_s 62 API calls 66747->66748 66748->66747 66749->66731 66752 6c3f1f62 66750->66752 66753 6c3f1f6f 66750->66753 66751 6c3f1f7b 66751->66738 66752->66738 66753->66751 66756 6c3e0690 18 API calls __wsopen_s 66753->66756 66755->66737 66756->66752 66757->66744 66758->66310 66759->66312 66760->66314 66761->66210 66762->66218 66763->66220 66764->66213 66765->66216 66766 6c3df4af 66767 6c3df4bb __wsopen_s 66766->66767 66768 6c3df4cf 66767->66768 66769 6c3df4c2 GetLastError ExitThread 66767->66769 66778 6c3e4f22 GetLastError 66768->66778 66774 6c3df4eb 66812 6c3df41a 16 API calls 2 library calls 66774->66812 66777 6c3df50d 66779 6c3e4f39 66778->66779 66780 6c3e4f3f 66778->66780 66813 6c3e7093 6 API calls std::_Lockit::_Lockit 66779->66813 66784 6c3e4f45 SetLastError 66780->66784 66814 6c3e70d2 6 API calls std::_Lockit::_Lockit 66780->66814 66783 6c3e4f5d 66783->66784 66785 6c3e4f61 66783->66785 66791 6c3e4fd9 66784->66791 66792 6c3df4d4 66784->66792 66815 6c3e7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66785->66815 66787 6c3e4f6d 66789 6c3e4f8c 66787->66789 66790 6c3e4f75 66787->66790 66818 6c3e70d2 6 API calls std::_Lockit::_Lockit 66789->66818 66816 6c3e70d2 6 API calls std::_Lockit::_Lockit 66790->66816 66821 6c3e1039 37 API calls std::locale::_Setgloballocale 66791->66821 66806 6c3ea2d6 66792->66806 66797 6c3e4f98 66799 6c3e4f9c 66797->66799 66800 6c3e4fad 66797->66800 66798 6c3e4f83 66817 6c3e4d2b HeapFree GetLastError _free 66798->66817 66819 6c3e70d2 6 API calls std::_Lockit::_Lockit 66799->66819 66820 6c3e4d2b HeapFree GetLastError _free 66800->66820 66803 6c3e4f89 66803->66784 66805 6c3e4fbf 66805->66784 66807 6c3ea2e8 GetPEB 66806->66807 66810 6c3df4df 66806->66810 66808 6c3ea2fb 66807->66808 66807->66810 66822 6c3e7388 5 API calls std::_Lockit::_Lockit 66808->66822 66810->66774 66811 6c3e72df 5 API calls std::_Lockit::_Lockit 66810->66811 66811->66774 66812->66777 66813->66780 66814->66783 66815->66787 66816->66798 66817->66803 66818->66797 66819->66798 66820->66805 66822->66810 66823 6c263b72 66824 6c3d6fb3 std::_Facet_Register 4 API calls 66823->66824 66832 6c2637e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66824->66832 66825 6c3cb430 FindFirstFileA 66825->66832 66826 6c27639e 66846 6c3e06a0 18 API calls 2 library calls 66826->66846 66828 6c276ba0 104 API calls 66828->66832 66830 6c277090 77 API calls 66830->66832 66831 6c29e010 67 API calls 66831->66832 66832->66825 66832->66826 66832->66828 66832->66830 66832->66831 66836 6c276e60 66832->66836 66837 6c276e9f 66836->66837 66840 6c276eb3 66837->66840 66847 6c2a3560 32 API calls std::_Xinvalid_argument 66837->66847 66842 6c276f5b 66840->66842 66849 6c2a2250 30 API calls 66840->66849 66850 6c2a26e0 24 API calls 4 library calls 66840->66850 66851 6c3d98e9 RaiseException 66840->66851 66843 6c276f6e 66842->66843 66848 6c2a37e0 32 API calls std::_Xinvalid_argument 66842->66848 66843->66832 66847->66840 66848->66843 66849->66840 66850->66840 66851->66840 66852 6c254b53 66853 6c3d6fb3 std::_Facet_Register 4 API calls 66852->66853 66854 6c254b5c _Yarn 66853->66854 66855 6c3cb430 FindFirstFileA 66854->66855 66860 6c254bae std::ios_base::_Ios_base_dtor 66855->66860 66856 6c27639e 67033 6c3e06a0 18 API calls 2 library calls 66856->67033 66858 6c255164 CreateFileA CloseHandle 66864 6c2551ec 66858->66864 66859 6c254cff 66860->66856 66860->66858 66860->66859 66861 6c26245a _Yarn _strlen 66860->66861 66861->66856 66863 6c3cb430 FindFirstFileA 66861->66863 66878 6c262a83 std::ios_base::_Ios_base_dtor 66863->66878 67010 6c3d5690 OpenSCManagerA 66864->67010 66866 6c25fc00 67026 6c3d57b0 CreateToolhelp32Snapshot 66866->67026 66869 6c3d6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66905 6c255478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66869->66905 66871 6c2637d0 Sleep 66916 6c2637e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66871->66916 66872 6c3cb430 FindFirstFileA 66872->66905 66873 6c2763b2 67034 6c2515e0 18 API calls std::ios_base::_Ios_base_dtor 66873->67034 66874 6c3d57b0 4 API calls 66892 6c26053a 66874->66892 66875 6c3d57b0 4 API calls 66897 6c2612e2 66875->66897 66877 6c2764f8 66878->66856 67014 6c3c0900 66878->67014 66879 6c25ffe3 66879->66874 66883 6c260abc 66879->66883 66880 6c276ba0 104 API calls 66880->66905 66881 6c276e60 32 API calls 66881->66905 66883->66861 66883->66875 66884 6c277090 77 API calls 66884->66905 66885 6c3d57b0 4 API calls 66885->66883 66886 6c3d57b0 4 API calls 66902 6c261dd9 66886->66902 66887 6c26211c 66887->66861 66888 6c26241a 66887->66888 66891 6c3c0900 11 API calls 66888->66891 66889 6c3cb430 FindFirstFileA 66889->66916 66890 6c29e010 67 API calls 66890->66905 66894 6c26244d 66891->66894 66892->66883 66892->66885 66893 6c256722 67023 6c3d1df0 25 API calls 4 library calls 66893->67023 67032 6c3d62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66894->67032 66896 6c262452 Sleep 66896->66861 66897->66886 66897->66887 66909 6c2616ac 66897->66909 66898 6c256162 66899 6c25740b 66900 6c3d5560 4 API calls 66899->66900 66908 6c25775a _strlen 66900->66908 66901 6c3d57b0 4 API calls 66901->66887 66902->66887 66902->66901 66903 6c276ba0 104 API calls 66903->66916 66904 6c276e60 32 API calls 66904->66916 66905->66856 66905->66866 66905->66869 66905->66872 66905->66880 66905->66881 66905->66884 66905->66890 66905->66893 66905->66898 66906 6c277090 77 API calls 66906->66916 66907 6c29e010 67 API calls 66907->66916 66908->66856 66910 6c257b92 66908->66910 66911 6c257ba9 66908->66911 66914 6c257b43 _Yarn 66908->66914 66912 6c3d6fb3 std::_Facet_Register 4 API calls 66910->66912 66913 6c3d6fb3 std::_Facet_Register 4 API calls 66911->66913 66912->66914 66913->66914 66915 6c3cb430 FindFirstFileA 66914->66915 66925 6c257be7 std::ios_base::_Ios_base_dtor 66915->66925 66916->66856 66916->66889 66916->66903 66916->66904 66916->66906 66916->66907 66917 6c3d5560 4 API calls 66928 6c258a07 66917->66928 66918 6c259d7f 66922 6c3d6fb3 std::_Facet_Register 4 API calls 66918->66922 66919 6c259d68 66921 6c3d6fb3 std::_Facet_Register 4 API calls 66919->66921 66920 6c25962c _strlen 66920->66856 66920->66918 66920->66919 66923 6c259d18 _Yarn 66920->66923 66921->66923 66922->66923 66924 6c3cb430 FindFirstFileA 66923->66924 66931 6c259dbd std::ios_base::_Ios_base_dtor 66924->66931 66925->66856 66925->66917 66925->66920 66926 6c258387 66925->66926 66927 6c3d5560 4 API calls 66937 6c259120 66927->66937 66928->66927 66929 6c3d5560 4 API calls 66946 6c25a215 _strlen 66929->66946 66930 6c3d5560 4 API calls 66933 6c259624 66930->66933 66931->66856 66931->66929 66936 6c25e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66931->66936 66932 6c3d6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66932->66936 67024 6c3d62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66933->67024 66935 6c3cb430 FindFirstFileA 66935->66936 66936->66856 66936->66932 66936->66935 66938 6c25f7b1 66936->66938 66939 6c25ed02 Sleep 66936->66939 66937->66930 67025 6c3d62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66938->67025 66958 6c25e8c1 66939->66958 66941 6c25a9a4 66944 6c3d6fb3 std::_Facet_Register 4 API calls 66941->66944 66942 6c25a9bb 66945 6c3d6fb3 std::_Facet_Register 4 API calls 66942->66945 66943 6c25e8dd GetCurrentProcess TerminateProcess 66943->66936 66953 6c25a953 _Yarn _strlen 66944->66953 66945->66953 66946->66856 66946->66941 66946->66942 66946->66953 66947 6c3d5560 4 API calls 66947->66958 66948 6c25fbb8 66949 6c25fbe8 ExitWindowsEx Sleep 66948->66949 66949->66866 66950 6c25f7c0 66950->66948 66951 6c25aff0 66954 6c3d6fb3 std::_Facet_Register 4 API calls 66951->66954 66952 6c25b009 66955 6c3d6fb3 std::_Facet_Register 4 API calls 66952->66955 66953->66873 66953->66951 66953->66952 66956 6c25afa0 _Yarn 66953->66956 66954->66956 66955->66956 66957 6c3d5ed0 104 API calls 66956->66957 66959 6c25b059 std::ios_base::_Ios_base_dtor _strlen 66957->66959 66958->66936 66958->66943 66958->66947 66959->66856 66960 6c25b443 66959->66960 66961 6c25b42c 66959->66961 66964 6c25b3da _Yarn _strlen 66959->66964 66963 6c3d6fb3 std::_Facet_Register 4 API calls 66960->66963 66962 6c3d6fb3 std::_Facet_Register 4 API calls 66961->66962 66962->66964 66963->66964 66964->66873 66965 6c25b7b7 66964->66965 66966 6c25b79e 66964->66966 66969 6c25b751 _Yarn 66964->66969 66968 6c3d6fb3 std::_Facet_Register 4 API calls 66965->66968 66967 6c3d6fb3 std::_Facet_Register 4 API calls 66966->66967 66967->66969 66968->66969 66970 6c3d5ed0 104 API calls 66969->66970 66971 6c25b804 std::ios_base::_Ios_base_dtor _strlen 66970->66971 66971->66856 66972 6c25bc26 66971->66972 66973 6c25bc0f 66971->66973 66976 6c25bbbd _Yarn _strlen 66971->66976 66975 6c3d6fb3 std::_Facet_Register 4 API calls 66972->66975 66974 6c3d6fb3 std::_Facet_Register 4 API calls 66973->66974 66974->66976 66975->66976 66976->66873 66977 6c25c075 66976->66977 66978 6c25c08e 66976->66978 66981 6c25c028 _Yarn 66976->66981 66979 6c3d6fb3 std::_Facet_Register 4 API calls 66977->66979 66980 6c3d6fb3 std::_Facet_Register 4 API calls 66978->66980 66979->66981 66980->66981 66982 6c3d5ed0 104 API calls 66981->66982 66987 6c25c0db std::ios_base::_Ios_base_dtor _strlen 66982->66987 66983 6c25c7a5 66985 6c3d6fb3 std::_Facet_Register 4 API calls 66983->66985 66984 6c25c7bc 66986 6c3d6fb3 std::_Facet_Register 4 API calls 66984->66986 66994 6c25c753 _Yarn _strlen 66985->66994 66986->66994 66987->66856 66987->66983 66987->66984 66987->66994 66988 6c25d406 66991 6c3d6fb3 std::_Facet_Register 4 API calls 66988->66991 66989 6c25d3ed 66990 6c3d6fb3 std::_Facet_Register 4 API calls 66989->66990 66992 6c25d39a _Yarn 66990->66992 66991->66992 66993 6c3d5ed0 104 API calls 66992->66993 66995 6c25d458 std::ios_base::_Ios_base_dtor _strlen 66993->66995 66994->66873 66994->66988 66994->66989 66994->66992 67000 6c25cb2f 66994->67000 66995->66856 66996 6c25d8a4 66995->66996 66997 6c25d8bb 66995->66997 67001 6c25d852 _Yarn _strlen 66995->67001 66998 6c3d6fb3 std::_Facet_Register 4 API calls 66996->66998 66999 6c3d6fb3 std::_Facet_Register 4 API calls 66997->66999 66998->67001 66999->67001 67001->66873 67002 6c25dcb6 67001->67002 67003 6c25dccf 67001->67003 67006 6c25dc69 _Yarn 67001->67006 67004 6c3d6fb3 std::_Facet_Register 4 API calls 67002->67004 67005 6c3d6fb3 std::_Facet_Register 4 API calls 67003->67005 67004->67006 67005->67006 67007 6c3d5ed0 104 API calls 67006->67007 67009 6c25dd1c std::ios_base::_Ios_base_dtor 67007->67009 67008 6c3d5560 4 API calls 67008->66936 67009->66856 67009->67008 67011 6c3d56c6 67010->67011 67012 6c3d5758 OpenServiceA 67011->67012 67013 6c3d579f 67011->67013 67012->67011 67013->66905 67019 6c3c0913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 67014->67019 67015 6c3c44cf CloseHandle 67015->67019 67016 6c3c367e CloseHandle 67016->67019 67017 6c3c2a8b CloseHandle 67017->67019 67018 6c2637cb 67022 6c3d62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 67018->67022 67019->67015 67019->67016 67019->67017 67019->67018 67020 6c3ac750 WriteFile WriteFile WriteFile ReadFile 67019->67020 67035 6c3abca0 67019->67035 67020->67019 67022->66871 67023->66899 67024->66920 67025->66950 67030 6c3d5810 std::locale::_Setgloballocale 67026->67030 67027 6c3d57e7 CloseHandle 67027->67030 67028 6c3d5890 Process32NextW 67028->67030 67029 6c3d5921 67029->66879 67030->67027 67030->67028 67030->67029 67031 6c3d58b5 Process32FirstW 67030->67031 67031->67030 67032->66896 67034->66877 67036 6c3abcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 67035->67036 67037 6c3ac6f0 67036->67037 67038 6c3ac25d CreateFileA 67036->67038 67040 6c3aafa0 67036->67040 67037->67019 67038->67036 67043 6c3aafb3 __wsopen_s std::locale::_Setgloballocale 67040->67043 67041 6c3ab959 WriteFile 67041->67043 67042 6c3ab9ad WriteFile 67042->67043 67043->67041 67043->67042 67044 6c3abc88 67043->67044 67045 6c3ab105 ReadFile 67043->67045 67044->67036 67045->67043 67046 6c253d62 67047 6c253bc0 67046->67047 67048 6c253e8a GetCurrentThread NtSetInformationThread 67047->67048 67049 6c253eea 67048->67049 67050 6c3ed043 67051 6c3ed055 __dosmaperr 67050->67051 67052 6c3ed06d 67050->67052 67052->67051 67053 6c3ed0b8 __dosmaperr 67052->67053 67054 6c3ed0e7 67052->67054 67092 6c3e0690 18 API calls __wsopen_s 67053->67092 67056 6c3ed100 67054->67056 67058 6c3ed157 __wsopen_s 67054->67058 67059 6c3ed11b __dosmaperr 67054->67059 67057 6c3ed105 67056->67057 67056->67059 67060 6c3f1f55 __wsopen_s 18 API calls 67057->67060 67086 6c3e4d2b HeapFree GetLastError _free 67058->67086 67085 6c3e0690 18 API calls __wsopen_s 67059->67085 67061 6c3ed2ae 67060->67061 67063 6c3ed324 67061->67063 67066 6c3ed2c7 GetConsoleMode 67061->67066 67068 6c3ed328 ReadFile 67063->67068 67064 6c3ed177 67087 6c3e4d2b HeapFree GetLastError _free 67064->67087 67066->67063 67071 6c3ed2d8 67066->67071 67069 6c3ed39c GetLastError 67068->67069 67070 6c3ed342 67068->67070 67082 6c3ed132 __dosmaperr __wsopen_s 67069->67082 67070->67069 67073 6c3ed319 67070->67073 67071->67068 67074 6c3ed2de ReadConsoleW 67071->67074 67072 6c3ed17e 67072->67082 67088 6c3eb1d9 20 API calls __wsopen_s 67072->67088 67078 6c3ed37e 67073->67078 67079 6c3ed367 67073->67079 67073->67082 67074->67073 67076 6c3ed2fa GetLastError 67074->67076 67076->67082 67081 6c3ed395 67078->67081 67078->67082 67090 6c3ed46e 23 API calls 3 library calls 67079->67090 67091 6c3ed726 21 API calls __wsopen_s 67081->67091 67089 6c3e4d2b HeapFree GetLastError _free 67082->67089 67084 6c3ed39a 67084->67082 67085->67082 67086->67064 67087->67072 67088->67057 67089->67051 67090->67082 67091->67084 67092->67051

                            Executed Functions

                            Function 6C254754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 09454fc54df24c7501d3575f9af8ff3345e20601549a7a0f5dbd5baf3ffcbe58
                            • Instruction ID: 423650f4fe9f55aa585ea8582f5618551622e8a9e06ca37826552daa74b63313
                            • Opcode Fuzzy Hash: 09454fc54df24c7501d3575f9af8ff3345e20601549a7a0f5dbd5baf3ffcbe58
                            • Instruction Fuzzy Hash: 44742671644B068FC728CF28C8D0A96B3F3EF85318B598A2DC4D68BB55E774B45ACB50
                            Function 6C264A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: }jk$;T55$L@^
                            • API String ID: 0-4218709813
                            • Opcode ID: 60ab3762968e2bd9dd6dff34ce3043dd38509adc1957a37984a6690dc1463815
                            • Instruction ID: ba63d6d02895879128c67502bdb6187ed8dadf7584ec16c7b0d86f85a6b575f1
                            • Opcode Fuzzy Hash: 60ab3762968e2bd9dd6dff34ce3043dd38509adc1957a37984a6690dc1463815
                            • Instruction Fuzzy Hash: FD3428716447058FC728CF29C8D0A95B7E3EF85318B198A6DC4E68BF45EB74B48ACB50
                            Function 6C3D57B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7677 6c3d57b0-6c3d57e5 CreateToolhelp32Snapshot 7678 6c3d5810-6c3d5819 7677->7678 7679 6c3d581b-6c3d5820 7678->7679 7680 6c3d5850-6c3d5855 7678->7680 7681 6c3d5885-6c3d588a 7679->7681 7682 6c3d5822-6c3d5827 7679->7682 7683 6c3d585b-6c3d5860 7680->7683 7684 6c3d58e7-6c3d5911 call 6c3e3175 7680->7684 7689 6c3d5916-6c3d591b 7681->7689 7690 6c3d5890-6c3d58a2 Process32NextW 7681->7690 7685 6c3d5829-6c3d582e 7682->7685 7686 6c3d58a4-6c3d58cd call 6c3dbe90 Process32FirstW 7682->7686 7687 6c3d57e7-6c3d5802 CloseHandle 7683->7687 7688 6c3d5862-6c3d5867 7683->7688 7684->7678 7685->7678 7694 6c3d5830-6c3d5841 7685->7694 7696 6c3d58d2-6c3d58e2 7686->7696 7687->7678 7688->7678 7695 6c3d5869-6c3d5883 7688->7695 7689->7678 7693 6c3d5921-6c3d592f 7689->7693 7690->7696 7694->7678 7695->7678 7696->7678
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C3D57BE
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 74f1ef611ac5ee449d1d8e2bb2f94dca883559ea97d633c1317113406f01be66
                            • Instruction ID: f201ecd30e419a4deb21d8c43470e3481ed02e6e8b59fe4c57287f13408f92d9
                            • Opcode Fuzzy Hash: 74f1ef611ac5ee449d1d8e2bb2f94dca883559ea97d633c1317113406f01be66
                            • Instruction Fuzzy Hash: 43315CB6608340DBD710AF28C884B0ABBF4EF95749F51492EE498C7360D371A8888F63
                            Function 6C253886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7821 6c253886-6c25388e 7822 6c253894-6c253896 7821->7822 7823 6c253970-6c25397d 7821->7823 7822->7823 7824 6c25389c-6c2538b9 7822->7824 7825 6c2539f1-6c2539f8 7823->7825 7826 6c25397f-6c253989 7823->7826 7829 6c2538c0-6c2538c1 7824->7829 7827 6c253ab5-6c253aba 7825->7827 7828 6c2539fe-6c253a03 7825->7828 7826->7824 7830 6c25398f-6c253994 7826->7830 7827->7824 7834 6c253ac0-6c253ac7 7827->7834 7831 6c2538d2-6c2538d4 7828->7831 7832 6c253a09-6c253a2f 7828->7832 7833 6c25395e 7829->7833 7835 6c253b16-6c253b18 7830->7835 7836 6c25399a-6c25399f 7830->7836 7839 6c253957-6c25395c 7831->7839 7837 6c253a35-6c253a3a 7832->7837 7838 6c2538f8-6c253955 7832->7838 7840 6c253960-6c253964 7833->7840 7834->7829 7841 6c253acd-6c253ad6 7834->7841 7835->7829 7842 6c2539a5-6c2539bf 7836->7842 7843 6c25383b-6c253855 call 6c3a19e0 call 6c3a19f0 7836->7843 7844 6c253a40-6c253a57 7837->7844 7845 6c253b1d-6c253b22 7837->7845 7838->7839 7839->7833 7847 6c253860-6c253885 7840->7847 7848 6c25396a 7840->7848 7841->7835 7849 6c253ad8-6c253aeb 7841->7849 7850 6c253a5a-6c253a5d 7842->7850 7843->7847 7844->7850 7856 6c253b24-6c253b44 7845->7856 7857 6c253b49-6c253b50 7845->7857 7847->7821 7853 6c253ba1-6c253bb6 7848->7853 7849->7838 7854 6c253af1-6c253af8 7849->7854 7851 6c253aa9-6c253ab0 7850->7851 7851->7840 7860 6c253bc0-6c253bda call 6c3a19e0 call 6c3a19f0 7853->7860 7862 6c253b62-6c253b85 7854->7862 7863 6c253afa-6c253aff 7854->7863 7856->7851 7857->7829 7859 6c253b56-6c253b5d 7857->7859 7859->7840 7872 6c253be0-6c253bfe 7860->7872 7862->7838 7865 6c253b8b 7862->7865 7863->7839 7865->7853 7875 6c253c04-6c253c11 7872->7875 7876 6c253e7b 7872->7876 7878 6c253c17-6c253c20 7875->7878 7879 6c253ce0-6c253cea 7875->7879 7877 6c253e81-6c253ee0 call 6c253750 GetCurrentThread NtSetInformationThread 7876->7877 7892 6c253eea-6c253f04 call 6c3a19e0 call 6c3a19f0 7877->7892 7880 6c253dc5 7878->7880 7881 6c253c26-6c253c2d 7878->7881 7882 6c253cec-6c253d0c 7879->7882 7883 6c253d3a-6c253d3c 7879->7883 7887 6c253dc6 7880->7887 7885 6c253dc3 7881->7885 7886 6c253c33-6c253c3a 7881->7886 7888 6c253d90-6c253d95 7882->7888 7889 6c253d70-6c253d8d 7883->7889 7890 6c253d3e-6c253d45 7883->7890 7885->7880 7893 6c253e26-6c253e2b 7886->7893 7894 6c253c40-6c253c5b 7886->7894 7896 6c253dc8-6c253dcc 7887->7896 7897 6c253d97-6c253db8 7888->7897 7898 6c253dba-6c253dc1 7888->7898 7889->7888 7895 6c253d50-6c253d57 7890->7895 7915 6c253f75-6c253fa1 7892->7915 7900 6c253e31 7893->7900 7901 6c253c7b-6c253cd0 7893->7901 7902 6c253e1b-6c253e24 7894->7902 7895->7887 7896->7872 7903 6c253dd2 7896->7903 7897->7880 7898->7885 7904 6c253dd7-6c253ddc 7898->7904 7900->7860 7901->7895 7902->7896 7906 6c253e76-6c253e79 7902->7906 7903->7906 7907 6c253e36-6c253e3d 7904->7907 7908 6c253dde-6c253e17 7904->7908 7906->7877 7911 6c253e5c-6c253e5f 7907->7911 7912 6c253e3f-6c253e5a 7907->7912 7908->7902 7911->7901 7914 6c253e65-6c253e69 7911->7914 7912->7902 7914->7896 7914->7906 7919 6c254020-6c254026 7915->7919 7920 6c253fa3-6c253fa8 7915->7920 7923 6c253f06-6c253f35 7919->7923 7924 6c25402c-6c25403c 7919->7924 7921 6c25407c-6c254081 7920->7921 7922 6c253fae-6c253fcf 7920->7922 7925 6c254083-6c25408a 7921->7925 7926 6c2540aa-6c2540ae 7921->7926 7922->7926 7927 6c253f38-6c253f61 7923->7927 7928 6c2540b3-6c2540b8 7924->7928 7929 6c25403e-6c254058 7924->7929 7925->7927 7930 6c254090 7925->7930 7933 6c253f6b-6c253f6f 7926->7933 7932 6c253f64-6c253f67 7927->7932 7928->7922 7931 6c2540be-6c2540c9 7928->7931 7934 6c25405a-6c254063 7929->7934 7930->7892 7937 6c2540a7 7930->7937 7931->7926 7938 6c2540cb-6c2540d4 7931->7938 7939 6c253f69 7932->7939 7933->7915 7935 6c2540f5-6c25413f 7934->7935 7936 6c254069-6c25406c 7934->7936 7935->7939 7940 6c254144-6c25414b 7936->7940 7941 6c254072-6c254077 7936->7941 7937->7926 7938->7937 7942 6c2540d6-6c2540f0 7938->7942 7939->7933 7940->7933 7941->7932 7942->7934
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3ae2417dac483dfbbaa5f6cd782026348c8b607afd3ee1082c709a8e813dd42f
                            • Instruction ID: e9b61de3ecd00a92db1e06b5bb3441c4452898a15c907298a54910913d0cf43f
                            • Opcode Fuzzy Hash: 3ae2417dac483dfbbaa5f6cd782026348c8b607afd3ee1082c709a8e813dd42f
                            • Instruction Fuzzy Hash: 78320532245B058FC324CF28C8D0696B7E3FFD13147A98A6CC8EA4BA95D775B45ACB50
                            Function 6C253A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7969 6c253a6a-6c253a85 7970 6c253a87-6c253aa7 7969->7970 7971 6c253aa9-6c253ab0 7970->7971 7972 6c253960-6c253964 7971->7972 7973 6c253860-6c25388e 7972->7973 7974 6c25396a 7972->7974 7983 6c253894-6c253896 7973->7983 7984 6c253970-6c25397d 7973->7984 7975 6c253ba1-6c253bb6 7974->7975 7977 6c253bc0-6c253bda call 6c3a19e0 call 6c3a19f0 7975->7977 7993 6c253be0-6c253bfe 7977->7993 7983->7984 7986 6c25389c-6c2538b9 7983->7986 7988 6c2539f1-6c2539f8 7984->7988 7989 6c25397f-6c253989 7984->7989 7992 6c2538c0-6c2538c1 7986->7992 7990 6c253ab5-6c253aba 7988->7990 7991 6c2539fe-6c253a03 7988->7991 7989->7986 7994 6c25398f-6c253994 7989->7994 7990->7986 7998 6c253ac0-6c253ac7 7990->7998 7995 6c2538d2-6c2538d4 7991->7995 7996 6c253a09-6c253a2f 7991->7996 7997 6c25395e 7992->7997 8013 6c253c04-6c253c11 7993->8013 8014 6c253e7b 7993->8014 8000 6c253b16-6c253b18 7994->8000 8001 6c25399a-6c25399f 7994->8001 8004 6c253957-6c25395c 7995->8004 8002 6c253a35-6c253a3a 7996->8002 8003 6c2538f8-6c253955 7996->8003 7997->7972 7998->7992 8005 6c253acd-6c253ad6 7998->8005 8000->7992 8007 6c2539a5-6c2539bf 8001->8007 8008 6c25383b-6c253855 call 6c3a19e0 call 6c3a19f0 8001->8008 8009 6c253a40-6c253a57 8002->8009 8010 6c253b1d-6c253b22 8002->8010 8003->8004 8004->7997 8005->8000 8012 6c253ad8-6c253aeb 8005->8012 8015 6c253a5a-6c253a5d 8007->8015 8008->7973 8009->8015 8019 6c253b24-6c253b44 8010->8019 8020 6c253b49-6c253b50 8010->8020 8012->8003 8018 6c253af1-6c253af8 8012->8018 8021 6c253c17-6c253c20 8013->8021 8022 6c253ce0-6c253cea 8013->8022 8017 6c253e81-6c253ee0 call 6c253750 GetCurrentThread NtSetInformationThread 8014->8017 8015->7971 8041 6c253eea-6c253f04 call 6c3a19e0 call 6c3a19f0 8017->8041 8029 6c253b62-6c253b85 8018->8029 8030 6c253afa-6c253aff 8018->8030 8019->7970 8020->7992 8025 6c253b56-6c253b5d 8020->8025 8023 6c253dc5 8021->8023 8024 6c253c26-6c253c2d 8021->8024 8026 6c253cec-6c253d0c 8022->8026 8027 6c253d3a-6c253d3c 8022->8027 8035 6c253dc6 8023->8035 8032 6c253dc3 8024->8032 8033 6c253c33-6c253c3a 8024->8033 8025->7972 8036 6c253d90-6c253d95 8026->8036 8037 6c253d70-6c253d8d 8027->8037 8038 6c253d3e-6c253d45 8027->8038 8029->8003 8034 6c253b8b 8029->8034 8030->8004 8032->8023 8042 6c253e26-6c253e2b 8033->8042 8043 6c253c40-6c253c5b 8033->8043 8034->7975 8045 6c253dc8-6c253dcc 8035->8045 8046 6c253d97-6c253db8 8036->8046 8047 6c253dba-6c253dc1 8036->8047 8037->8036 8044 6c253d50-6c253d57 8038->8044 8064 6c253f75-6c253fa1 8041->8064 8049 6c253e31 8042->8049 8050 6c253c7b-6c253cd0 8042->8050 8051 6c253e1b-6c253e24 8043->8051 8044->8035 8045->7993 8052 6c253dd2 8045->8052 8046->8023 8047->8032 8053 6c253dd7-6c253ddc 8047->8053 8049->7977 8050->8044 8051->8045 8055 6c253e76-6c253e79 8051->8055 8052->8055 8056 6c253e36-6c253e3d 8053->8056 8057 6c253dde-6c253e17 8053->8057 8055->8017 8060 6c253e5c-6c253e5f 8056->8060 8061 6c253e3f-6c253e5a 8056->8061 8057->8051 8060->8050 8063 6c253e65-6c253e69 8060->8063 8061->8051 8063->8045 8063->8055 8068 6c254020-6c254026 8064->8068 8069 6c253fa3-6c253fa8 8064->8069 8072 6c253f06-6c253f35 8068->8072 8073 6c25402c-6c25403c 8068->8073 8070 6c25407c-6c254081 8069->8070 8071 6c253fae-6c253fcf 8069->8071 8074 6c254083-6c25408a 8070->8074 8075 6c2540aa-6c2540ae 8070->8075 8071->8075 8076 6c253f38-6c253f61 8072->8076 8077 6c2540b3-6c2540b8 8073->8077 8078 6c25403e-6c254058 8073->8078 8074->8076 8079 6c254090 8074->8079 8082 6c253f6b-6c253f6f 8075->8082 8081 6c253f64-6c253f67 8076->8081 8077->8071 8080 6c2540be-6c2540c9 8077->8080 8083 6c25405a-6c254063 8078->8083 8079->8041 8086 6c2540a7 8079->8086 8080->8075 8087 6c2540cb-6c2540d4 8080->8087 8088 6c253f69 8081->8088 8082->8064 8084 6c2540f5-6c25413f 8083->8084 8085 6c254069-6c25406c 8083->8085 8084->8088 8089 6c254144-6c25414b 8085->8089 8090 6c254072-6c254077 8085->8090 8086->8075 8087->8086 8091 6c2540d6-6c2540f0 8087->8091 8088->8082 8089->8082 8090->8081 8091->8083
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 8d145724604477be8ddc1cd91b647aeb3ae2dea3ee8e91d6196cec52a2d0d766
                            • Instruction ID: c0953044cf589a3716ebbc2dd91dd672ad437b133ad68fc58a137f9fd966e90c
                            • Opcode Fuzzy Hash: 8d145724604477be8ddc1cd91b647aeb3ae2dea3ee8e91d6196cec52a2d0d766
                            • Instruction Fuzzy Hash: 8C5103312147058FC321CF28C8807C6B7E3BF91314FA98A5DC4E65BA91DB75B46ACB41
                            Function 6C2539CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: fffecff4a3d66337ad40495e2d6feedb12123b99df690671fdec4e981b9762ca
                            • Instruction ID: 3147ec5360eacaf0ef8a8fc9f48ee50858c6c3ae2a7c7f9fdc3b811d23768ece
                            • Opcode Fuzzy Hash: fffecff4a3d66337ad40495e2d6feedb12123b99df690671fdec4e981b9762ca
                            • Instruction Fuzzy Hash: 2A51F331214B058FC320CF28C480796B7E3BF85324FA98B1DC4E65BA95DB71B466CB91
                            Function 6C253D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C253E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C253EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: b883633cc8276264ba89a59b506f7aef51342e4fd4c3d588050f7bfd0fdd5f20
                            • Instruction ID: 3b3b46c9455b125aacae7110a0e51b6eb6a2083efc7f4ee2b1cbe41767076330
                            • Opcode Fuzzy Hash: b883633cc8276264ba89a59b506f7aef51342e4fd4c3d588050f7bfd0fdd5f20
                            • Instruction Fuzzy Hash: 79312231215B058BC320CF28C880BC7B7A3BF92314FA98A1DC4A64BA80DB7574299B51
                            Function 6C253D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C253E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C253EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 3d0df70da559c02fc3a5f3094cdf40fae8d2dbcb6b1d0463d9ad4c37f6b62bbd
                            • Instruction ID: 7e83ffb4bc3264a32eb13834631df4f3b8c2dd2c674270667134c3fded24f29b
                            • Opcode Fuzzy Hash: 3d0df70da559c02fc3a5f3094cdf40fae8d2dbcb6b1d0463d9ad4c37f6b62bbd
                            • Instruction Fuzzy Hash: 1931F0311147098BC724CF28C490B97B7F6BF82314FA94A1DC8E68BA81DB717465CB92
                            Function 6C253C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6C253E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C253EAA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: f152d286a7167a08c0c3064ce9609937aaa56878dc9989a8c89231a0a4dc0312
                            • Instruction ID: fe5e43018ea843ec3ea35aff3fc7e97e1bcbf4fad5f622a2b20f1796b7163eef
                            • Opcode Fuzzy Hash: f152d286a7167a08c0c3064ce9609937aaa56878dc9989a8c89231a0a4dc0312
                            • Instruction Fuzzy Hash: FD21E5312187098BD724CF64C890B97B7B6BF42314FA44A1DD8A68BA80DB75B4249B52
                            Function 6C3D5690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C3D56A0
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ManagerOpen
                            • String ID:
                            • API String ID: 1889721586-0
                            • Opcode ID: 0b3aeb726edbef8bfbcbd68f636dde660326aca544019732e5e2f28158448da3
                            • Instruction ID: ee55fd15558545e948e5d8c287c072e6fb168d6562a28f2340f5eed1d2c765e3
                            • Opcode Fuzzy Hash: 0b3aeb726edbef8bfbcbd68f636dde660326aca544019732e5e2f28158448da3
                            • Instruction Fuzzy Hash: 853129B5A08341EFC700DF28C584B0ABBF0EB89769F51885AF999C6361C375E8449F62
                            Function 6C3CB430 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6C3CB44C
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: e6ae6cd6ac949fd704f72110a539dd0751ccb92e51154df84fb0b440c8065bc4
                            • Instruction ID: 453ae761eada8131724e4062b0c65af21e2127d544b27de51c72ca3489f6ed98
                            • Opcode Fuzzy Hash: e6ae6cd6ac949fd704f72110a539dd0751ccb92e51154df84fb0b440c8065bc4
                            • Instruction Fuzzy Hash: 39111374A0C350ABD7009A28D58450EBBE8AB86329F148E59F4A8CBA91D339CC848F13
                            Function 6C3AAFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C3AB117
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                            • API String ID: 2738559852-1563143607
                            • Opcode ID: 569a291b9739586c240d48d9053dc2aa06beb520fd20d00dc0861213a23c3f62
                            • Instruction ID: d461ba6e596e833ebebc0732790aed1ee9bb9980615e81fc7b18ffa61fe84d80
                            • Opcode Fuzzy Hash: 569a291b9739586c240d48d9053dc2aa06beb520fd20d00dc0861213a23c3f62
                            • Instruction Fuzzy Hash: A16269706093898FC724CF69C490A9ABBE1EBC9318F148D1EF4A9CB750D736D8568F52
                            Function 6C3ED043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6824 6c3ed043-6c3ed053 6825 6c3ed06d-6c3ed06f 6824->6825 6826 6c3ed055-6c3ed068 call 6c3dff4f call 6c3dff3c 6824->6826 6828 6c3ed3d4-6c3ed3e1 call 6c3dff4f call 6c3dff3c 6825->6828 6829 6c3ed075-6c3ed07b 6825->6829 6842 6c3ed3ec 6826->6842 6848 6c3ed3e7 call 6c3e0690 6828->6848 6829->6828 6832 6c3ed081-6c3ed0a7 6829->6832 6832->6828 6835 6c3ed0ad-6c3ed0b6 6832->6835 6838 6c3ed0b8-6c3ed0cb call 6c3dff4f call 6c3dff3c 6835->6838 6839 6c3ed0d0-6c3ed0d2 6835->6839 6838->6848 6840 6c3ed0d8-6c3ed0db 6839->6840 6841 6c3ed3d0-6c3ed3d2 6839->6841 6840->6841 6847 6c3ed0e1-6c3ed0e5 6840->6847 6845 6c3ed3ef-6c3ed3f2 6841->6845 6842->6845 6847->6838 6850 6c3ed0e7-6c3ed0fe 6847->6850 6848->6842 6853 6c3ed14f-6c3ed155 6850->6853 6854 6c3ed100-6c3ed103 6850->6854 6855 6c3ed11b-6c3ed132 call 6c3dff4f call 6c3dff3c call 6c3e0690 6853->6855 6856 6c3ed157-6c3ed161 6853->6856 6857 6c3ed105-6c3ed10e 6854->6857 6858 6c3ed113-6c3ed119 6854->6858 6888 6c3ed307 6855->6888 6859 6c3ed168-6c3ed186 call 6c3e4d65 call 6c3e4d2b * 2 6856->6859 6860 6c3ed163-6c3ed165 6856->6860 6861 6c3ed1d3-6c3ed1e3 6857->6861 6858->6855 6862 6c3ed137-6c3ed14a 6858->6862 6898 6c3ed188-6c3ed19e call 6c3dff3c call 6c3dff4f 6859->6898 6899 6c3ed1a3-6c3ed1cc call 6c3eb1d9 6859->6899 6860->6859 6864 6c3ed2a8-6c3ed2b1 call 6c3f1f55 6861->6864 6865 6c3ed1e9-6c3ed1f5 6861->6865 6862->6861 6876 6c3ed324 6864->6876 6877 6c3ed2b3-6c3ed2c5 6864->6877 6865->6864 6868 6c3ed1fb-6c3ed1fd 6865->6868 6868->6864 6873 6c3ed203-6c3ed227 6868->6873 6873->6864 6878 6c3ed229-6c3ed23f 6873->6878 6885 6c3ed328-6c3ed340 ReadFile 6876->6885 6877->6876 6882 6c3ed2c7-6c3ed2d6 GetConsoleMode 6877->6882 6878->6864 6883 6c3ed241-6c3ed243 6878->6883 6882->6876 6889 6c3ed2d8-6c3ed2dc 6882->6889 6883->6864 6890 6c3ed245-6c3ed26b 6883->6890 6886 6c3ed39c-6c3ed3a7 GetLastError 6885->6886 6887 6c3ed342-6c3ed348 6885->6887 6892 6c3ed3a9-6c3ed3bb call 6c3dff3c call 6c3dff4f 6886->6892 6893 6c3ed3c0-6c3ed3c3 6886->6893 6887->6886 6894 6c3ed34a 6887->6894 6896 6c3ed30a-6c3ed314 call 6c3e4d2b 6888->6896 6889->6885 6895 6c3ed2de-6c3ed2f8 ReadConsoleW 6889->6895 6890->6864 6897 6c3ed26d-6c3ed283 6890->6897 6892->6888 6905 6c3ed3c9-6c3ed3cb 6893->6905 6906 6c3ed300-6c3ed306 call 6c3dff62 6893->6906 6901 6c3ed34d-6c3ed35f 6894->6901 6903 6c3ed2fa GetLastError 6895->6903 6904 6c3ed319-6c3ed322 6895->6904 6896->6845 6897->6864 6908 6c3ed285-6c3ed287 6897->6908 6898->6888 6899->6861 6901->6896 6911 6c3ed361-6c3ed365 6901->6911 6903->6906 6904->6901 6905->6896 6906->6888 6908->6864 6915 6c3ed289-6c3ed2a3 6908->6915 6918 6c3ed37e-6c3ed389 6911->6918 6919 6c3ed367-6c3ed377 call 6c3ed46e 6911->6919 6915->6864 6925 6c3ed38b call 6c3ed3f3 6918->6925 6926 6c3ed395-6c3ed39a call 6c3ed726 6918->6926 6930 6c3ed37a-6c3ed37c 6919->6930 6931 6c3ed390-6c3ed393 6925->6931 6926->6931 6930->6896 6931->6930
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 2ab801e0dfff29729b6c637f1cb521f411aa6a217619839cf6764c013c763614
                            • Instruction ID: a344306f80a1cdc3cd656d4e051e0b4ce887352dbb319418482d112aa9f228d0
                            • Opcode Fuzzy Hash: 2ab801e0dfff29729b6c637f1cb521f411aa6a217619839cf6764c013c763614
                            • Instruction Fuzzy Hash: E3C1D370E042599FDF01DFA8D880BADBBB4EF8E318F50415AE454ABB81C771A945CF62
                            Function 6C3F45DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6933 6c3f45dc-6c3f460c call 6c3f4a5c 6936 6c3f460e-6c3f4619 call 6c3dff4f 6933->6936 6937 6c3f4627-6c3f4633 call 6c3f1b7c 6933->6937 6944 6c3f461b-6c3f4622 call 6c3dff3c 6936->6944 6942 6c3f464c-6c3f4695 call 6c3f49c7 6937->6942 6943 6c3f4635-6c3f464a call 6c3dff4f call 6c3dff3c 6937->6943 6953 6c3f4697-6c3f46a0 6942->6953 6954 6c3f4702-6c3f470b GetFileType 6942->6954 6943->6944 6951 6c3f4901-6c3f4905 6944->6951 6958 6c3f46d7-6c3f46fd GetLastError call 6c3dff62 6953->6958 6959 6c3f46a2-6c3f46a6 6953->6959 6955 6c3f470d-6c3f473e GetLastError call 6c3dff62 CloseHandle 6954->6955 6956 6c3f4754-6c3f4757 6954->6956 6955->6944 6970 6c3f4744-6c3f474f call 6c3dff3c 6955->6970 6962 6c3f4759-6c3f475e 6956->6962 6963 6c3f4760-6c3f4766 6956->6963 6958->6944 6959->6958 6964 6c3f46a8-6c3f46d5 call 6c3f49c7 6959->6964 6967 6c3f476a-6c3f47b8 call 6c3f1d20 6962->6967 6963->6967 6968 6c3f4768 6963->6968 6964->6954 6964->6958 6975 6c3f47ba-6c3f47c6 call 6c3f4bd6 6967->6975 6976 6c3f47d7-6c3f47ff call 6c3f4c80 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c3f47c8 6975->6982 6983 6c3f4804-6c3f4845 6976->6983 6984 6c3f4801-6c3f4802 6976->6984 6985 6c3f47ca-6c3f47d2 call 6c3ebe95 6982->6985 6986 6c3f4847-6c3f484b 6983->6986 6987 6c3f4866-6c3f4874 6983->6987 6984->6985 6985->6951 6986->6987 6991 6c3f484d-6c3f4861 6986->6991 6988 6c3f48ff 6987->6988 6989 6c3f487a-6c3f487e 6987->6989 6988->6951 6989->6988 6992 6c3f4880-6c3f48b3 CloseHandle call 6c3f49c7 6989->6992 6991->6987 6996 6c3f48e7-6c3f48fb 6992->6996 6997 6c3f48b5-6c3f48e1 GetLastError call 6c3dff62 call 6c3f1c8f 6992->6997 6996->6988 6997->6996
                            APIs
                              • Part of subcall function 6C3F49C7: CreateFileW.KERNEL32(00000000,00000000,?,6C3F4685,?,?,00000000,?,6C3F4685,00000000,0000000C), ref: 6C3F49E4
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C3F46F0
                            • __dosmaperr.LIBCMT ref: 6C3F46F7
                            • GetFileType.KERNEL32(00000000), ref: 6C3F4703
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C3F470D
                            • __dosmaperr.LIBCMT ref: 6C3F4716
                            • CloseHandle.KERNEL32(00000000), ref: 6C3F4736
                            • CloseHandle.KERNEL32(6C3EB640), ref: 6C3F4883
                            • GetLastError.KERNEL32 ref: 6C3F48B5
                            • __dosmaperr.LIBCMT ref: 6C3F48BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 2c1674a367e3ccac7243045ccb28f3aee061daabd95be06202032d82540b25f3
                            • Instruction ID: 156b03e48382d46f9902d3f71ee0058f0948f9afeaaaa292d3bd707d6acc7a26
                            • Opcode Fuzzy Hash: 2c1674a367e3ccac7243045ccb28f3aee061daabd95be06202032d82540b25f3
                            • Instruction Fuzzy Hash: 7BA13732A041488FCF09DF68D9517AE3BB5AB0B328F14054DE860AF790CB36991BCF52
                            Function 6C3AC750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7002 6c3ac750-6c3ac7a9 call 6c3d70e0 7005 6c3ac7d0-6c3ac7d9 7002->7005 7006 6c3ac7db-6c3ac7e0 7005->7006 7007 6c3ac820-6c3ac825 7005->7007 7008 6c3ac7e2-6c3ac7e7 7006->7008 7009 6c3ac860-6c3ac865 7006->7009 7010 6c3ac8a0-6c3ac8a5 7007->7010 7011 6c3ac827-6c3ac82c 7007->7011 7012 6c3ac7ed-6c3ac7f2 7008->7012 7013 6c3ac8e2-6c3ac94f WriteFile 7008->7013 7016 6c3ac86b-6c3ac870 7009->7016 7017 6c3ac9a1-6c3ac9b8 WriteFile 7009->7017 7018 6c3ac8ab-6c3ac8b0 7010->7018 7019 6c3ac9f9-6c3aca29 call 6c3db910 7010->7019 7014 6c3ac832-6c3ac837 7011->7014 7015 6c3ac977-6c3ac98b 7011->7015 7022 6c3ac7f8-6c3ac7fd 7012->7022 7023 6c3ac959-6c3ac96d WriteFile 7012->7023 7013->7023 7025 6c3ac7ab-6c3ac7c0 7014->7025 7026 6c3ac83d-6c3ac842 7014->7026 7024 6c3ac98f-6c3ac99c 7015->7024 7027 6c3ac9c2-6c3ac9ef call 6c3dbe90 ReadFile 7016->7027 7028 6c3ac876-6c3ac87b 7016->7028 7017->7027 7020 6c3aca2e-6c3aca33 7018->7020 7021 6c3ac8b6-6c3ac8dd 7018->7021 7019->7005 7020->7005 7030 6c3aca39-6c3aca47 7020->7030 7031 6c3ac7c3-6c3ac7c8 7021->7031 7022->7005 7032 6c3ac7ff-6c3ac81a 7022->7032 7023->7015 7024->7005 7025->7031 7026->7005 7033 6c3ac844-6c3ac857 7026->7033 7027->7019 7028->7005 7035 6c3ac881-6c3ac89b 7028->7035 7031->7005 7032->7031 7033->7031 7035->7024
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                            • API String ID: 0-4100612575
                            • Opcode ID: 3aac243f5cfe29a53bf5aeb4b69a529fd7a1f377829a1fa139f7d46d2d3e29a4
                            • Instruction ID: f9a1db63c558bc2006412d603bf2b011cfb15f135c1d2f6a26f3b2e7cb4d0093
                            • Opcode Fuzzy Hash: 3aac243f5cfe29a53bf5aeb4b69a529fd7a1f377829a1fa139f7d46d2d3e29a4
                            • Instruction Fuzzy Hash: 15719CB0208345AFD710DF58D480BAABBF5FF8A708F10492EF488D6651D772D8998F92
                            Function 6C3ABCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                            • API String ID: 0-174837320
                            • Opcode ID: 2e8538ae949879278140c131c6db11b04deba9f1c487368124f2dd6c23bfb7bb
                            • Instruction ID: e2a276b0539c9f6879bf8c452978fb0f1c186eec37a703bc8f3b29db7f377052
                            • Opcode Fuzzy Hash: 2e8538ae949879278140c131c6db11b04deba9f1c487368124f2dd6c23bfb7bb
                            • Instruction Fuzzy Hash: E24287746093468FC714DF98D09061ABBE1EF89318F248D5EE5A58BB20C73AD866CF53
                            Function 6C254200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: 2faa8f4e989bf792f711911a6c02486625be7d0945959c4fe55b492dd48706c1
                            • Instruction ID: f1852dbb82ebd40207d839e9997e46b9bcfb17c706dee35a2d68cdc5f3d85ebc
                            • Opcode Fuzzy Hash: 2faa8f4e989bf792f711911a6c02486625be7d0945959c4fe55b492dd48706c1
                            • Instruction Fuzzy Hash: 0D0316316447068FCB28CF29C8D0A96B7E3AFD532475D8B2DC4A64BE95DB34B44ACB50
                            Function 6C3D5560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7579 6c3d5560-6c3d55e7 CreateProcessA 7580 6c3d563a-6c3d5643 7579->7580 7581 6c3d5645-6c3d564a 7580->7581 7582 6c3d5660-6c3d567b 7580->7582 7583 6c3d564c-6c3d5651 7581->7583 7584 6c3d55f0-6c3d5632 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c3d5653-6c3d5688 7583->7585 7584->7580
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: ffa6719f3e43a7c9bcddb1f4da256dcc8383666b64307b1b8c9c8642d12ef1f5
                            • Instruction ID: 798744e58b8bc46a7568edce4779d12c943946a925c7b23f32ac1210c030e1b5
                            • Opcode Fuzzy Hash: ffa6719f3e43a7c9bcddb1f4da256dcc8383666b64307b1b8c9c8642d12ef1f5
                            • Instruction Fuzzy Hash: D231E3B18193408FE740EF28D19871ABBF0EB9A358F416A1DF4D996250E775A588CF43
                            Function 6C3EC1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7587 6c3ec1ce-6c3ec1ea 7588 6c3ec3a9 7587->7588 7589 6c3ec1f0-6c3ec1f2 7587->7589 7590 6c3ec3ab-6c3ec3af 7588->7590 7591 6c3ec214-6c3ec235 7589->7591 7592 6c3ec1f4-6c3ec207 call 6c3dff4f call 6c3dff3c call 6c3e0690 7589->7592 7593 6c3ec23c-6c3ec242 7591->7593 7594 6c3ec237-6c3ec23a 7591->7594 7609 6c3ec20c-6c3ec20f 7592->7609 7593->7592 7596 6c3ec244-6c3ec249 7593->7596 7594->7593 7594->7596 7598 6c3ec25a-6c3ec26b call 6c3ec3b0 7596->7598 7599 6c3ec24b-6c3ec257 call 6c3eb1d9 7596->7599 7607 6c3ec2ac-6c3ec2be 7598->7607 7608 6c3ec26d-6c3ec26f 7598->7608 7599->7598 7610 6c3ec305-6c3ec327 WriteFile 7607->7610 7611 6c3ec2c0-6c3ec2c9 7607->7611 7612 6c3ec296-6c3ec2a2 call 6c3ec421 7608->7612 7613 6c3ec271-6c3ec279 7608->7613 7609->7590 7614 6c3ec329-6c3ec32f GetLastError 7610->7614 7615 6c3ec332 7610->7615 7617 6c3ec2cb-6c3ec2ce 7611->7617 7618 6c3ec2f5-6c3ec303 call 6c3ec833 7611->7618 7621 6c3ec2a7-6c3ec2aa 7612->7621 7619 6c3ec27f-6c3ec28c call 6c3ec7cb 7613->7619 7620 6c3ec33b-6c3ec33e 7613->7620 7614->7615 7622 6c3ec335-6c3ec33a 7615->7622 7624 6c3ec2e5-6c3ec2f3 call 6c3ec9f7 7617->7624 7625 6c3ec2d0-6c3ec2d3 7617->7625 7618->7621 7628 6c3ec28f-6c3ec291 7619->7628 7623 6c3ec341-6c3ec346 7620->7623 7621->7628 7622->7620 7629 6c3ec348-6c3ec34d 7623->7629 7630 6c3ec3a4-6c3ec3a7 7623->7630 7624->7621 7625->7623 7631 6c3ec2d5-6c3ec2e3 call 6c3ec90e 7625->7631 7628->7622 7635 6c3ec34f-6c3ec354 7629->7635 7636 6c3ec379-6c3ec385 7629->7636 7630->7590 7631->7621 7641 6c3ec36d-6c3ec374 call 6c3dff62 7635->7641 7642 6c3ec356-6c3ec368 call 6c3dff3c call 6c3dff4f 7635->7642 7639 6c3ec38c-6c3ec39f call 6c3dff3c call 6c3dff4f 7636->7639 7640 6c3ec387-6c3ec38a 7636->7640 7639->7609 7640->7588 7640->7639 7641->7609 7642->7609
                            APIs
                              • Part of subcall function 6C3EC421: GetConsoleCP.KERNEL32(?,6C3EB640,?), ref: 6C3EC469
                            • WriteFile.KERNEL32(?,?,6C3F4C5C,00000000,00000000,?,00000000,00000000,6C3F6026,00000000,00000000,?,00000000,6C3EB640,6C3F4C5C,00000000), ref: 6C3EC31F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C3F4C5C,6C3EB640,00000000,?,?,?,?,00000000,?), ref: 6C3EC329
                            • __dosmaperr.LIBCMT ref: 6C3EC36E
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: 58cc832330e39a47ae5078fe7490c3a96975985563fbe11aea4205c6af624e2c
                            • Instruction ID: 3e5f167ccefdab3f89156490487798a5218e4db6064d92fc286f273f577328fc
                            • Opcode Fuzzy Hash: 58cc832330e39a47ae5078fe7490c3a96975985563fbe11aea4205c6af624e2c
                            • Instruction Fuzzy Hash: CE51C371A04229AEDF01EBE8D880BEEBFB9FF0E358F140152E450A7A41D7359945CF62
                            Function 6C3D6100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7654 6c3d6100-6c3d610c 7655 6c3d614d 7654->7655 7656 6c3d610e-6c3d6119 7654->7656 7659 6c3d614f-6c3d61c7 7655->7659 7657 6c3d612f-6c3d613c call 6c2a01f0 call 6c3e1088 7656->7657 7658 6c3d611b-6c3d612d 7656->7658 7667 6c3d6141-6c3d614b 7657->7667 7658->7657 7661 6c3d61c9-6c3d61f1 7659->7661 7662 6c3d61f3-6c3d61f9 7659->7662 7661->7662 7664 6c3d61fa-6c3d62b9 call 6c2a2250 call 6c2a2340 call 6c3d98e9 call 6c29e010 call 6c3d75f8 7661->7664 7667->7659
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3D62A1
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: 6acf1c5fa0f80b094d23002931b6368ed2b8d906c58c8a8e29c28234e212b471
                            • Instruction ID: e2d1237617f1912d4367b19f27108d04c50593b372975a249a07e8dd48aef5e1
                            • Opcode Fuzzy Hash: 6acf1c5fa0f80b094d23002931b6368ed2b8d906c58c8a8e29c28234e212b471
                            • Instruction Fuzzy Hash: 7D5134B6A00B408FD725CF29C495B97BBF1BB48318F008A2DD89647B91D775B90ACF90
                            Function 6C3EBE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7699 6c3ebe95-6c3ebea9 call 6c3f1b12 7702 6c3ebeaf-6c3ebeb7 7699->7702 7703 6c3ebeab-6c3ebead 7699->7703 7705 6c3ebeb9-6c3ebec0 7702->7705 7706 6c3ebec2-6c3ebec5 7702->7706 7704 6c3ebefd-6c3ebf1d call 6c3f1c8f 7703->7704 7714 6c3ebf1f-6c3ebf29 call 6c3dff62 7704->7714 7715 6c3ebf2b 7704->7715 7705->7706 7708 6c3ebecd-6c3ebee1 call 6c3f1b12 * 2 7705->7708 7709 6c3ebec7-6c3ebecb 7706->7709 7710 6c3ebee3-6c3ebef3 call 6c3f1b12 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7721 6c3ebef5-6c3ebefb GetLastError 7710->7721 7719 6c3ebf2d-6c3ebf30 7714->7719 7715->7719 7721->7704
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C3F47CF), ref: 6C3EBEEB
                            • GetLastError.KERNEL32(?,00000000,?,6C3F47CF), ref: 6C3EBEF5
                            • __dosmaperr.LIBCMT ref: 6C3EBF20
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: 004f87d4cba4eecbce79df07ac8cd64240dc708a52f613a5db13253b84116963
                            • Instruction ID: 5dcd120fb3a28092ec89d3cbd127bcaec81314f19be57fba11bf5157e6807f99
                            • Opcode Fuzzy Hash: 004f87d4cba4eecbce79df07ac8cd64240dc708a52f613a5db13253b84116963
                            • Instruction Fuzzy Hash: 0801253370823046C2026639B544BAD376D8BCA73CF2A074EEA24AFAC1DB62C8454E55
                            Function 6C3E110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7944 6c3e110c-6c3e1117 7945 6c3e112e-6c3e113b 7944->7945 7946 6c3e1119-6c3e112c call 6c3dff3c call 6c3e0690 7944->7946 7948 6c3e113d-6c3e1152 call 6c3e1229 call 6c3e8cae call 6c3ea1d0 call 6c3ebe08 7945->7948 7949 6c3e1176-6c3e117f call 6c3eb3e5 7945->7949 7957 6c3e1180-6c3e1182 7946->7957 7963 6c3e1157-6c3e115c 7948->7963 7949->7957 7964 6c3e115e-6c3e1161 7963->7964 7965 6c3e1163-6c3e1167 7963->7965 7964->7949 7965->7949 7966 6c3e1169-6c3e1175 call 6c3e4d2b 7965->7966 7966->7949
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 218eb66b547bfc189fd52d5e8a1bb5e8b202b280d1be6b3d81be6e81272a54d6
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: 03F0AD329026345AD6221B699C00BCA73A88F8A37CF114717E8A482BC1CB65D40ACFE7
                            Function 6C3D5ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3D6024
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C3D6064
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: a306142150f58a19aa46808df74d58d0410c55e409acb10256b6ae2ed0fb3174
                            • Instruction ID: 2c50622223dc9debbfb6b40f2dc04eb2b261485849de52c2d53169c502818bd3
                            • Opcode Fuzzy Hash: a306142150f58a19aa46808df74d58d0410c55e409acb10256b6ae2ed0fb3174
                            • Instruction Fuzzy Hash: 00513671101B04DBD725CF25C884BD2BBF4FB04718F448A5DE8AA8BA91DB30B549CF81
                            Function 6C3DF4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6C406DF0,0000000C), ref: 6C3DF4C2
                            • ExitThread.KERNEL32 ref: 6C3DF4C9
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: 6320a38ad99d819b7f13ba63b0a1944ac3c010d77bd9d65da4ac6f63639fa19b
                            • Instruction ID: 99b984bdf2850474d7f57a0b6194c3ada438452479fec89c3c4a5221109137a5
                            • Opcode Fuzzy Hash: 6320a38ad99d819b7f13ba63b0a1944ac3c010d77bd9d65da4ac6f63639fa19b
                            • Instruction Fuzzy Hash: ACF0FF72A402009FDB00EFB0C448AAE3B74FF09319F26414AF50297B51CF306905CFA2
                            Function 6C3EB4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 974ca22a6e714190c3a076fa2e2d38d8fa82f1fbc35c55827b6f26d0fda4d15c
                            • Instruction ID: 2af1420e4a9d96768920935355283bd8a6c7406c183d074574eaea4ec9edf44f
                            • Opcode Fuzzy Hash: 974ca22a6e714190c3a076fa2e2d38d8fa82f1fbc35c55827b6f26d0fda4d15c
                            • Instruction Fuzzy Hash: AA113D71A0420AAFCF06DF59E9409DB7BF8EF48308F154055F809AB311D671E911CBA9
                            Function 6C3F456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 66679471bee1f804514d0ee3c0dcf4e00819ca054bd01a2de960d78f3ba44912
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: 18014F72C0115DAFCF02AFE88D009EE7FB9BF08214F144565FA68E2290E7318A25DF91
                            Function 6C3F49C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6C3F4685,?,?,00000000,?,6C3F4685,00000000,0000000C), ref: 6C3F49E4
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 572a5529fe4a171d4e4402ebf1e1283e62fa3e7a92c8837af8a5a36aef6d03e7
                            • Instruction ID: e83ac3f541bb3ac829772d574081856f4731b34d83c7d19d935e83232a416ddd
                            • Opcode Fuzzy Hash: 572a5529fe4a171d4e4402ebf1e1283e62fa3e7a92c8837af8a5a36aef6d03e7
                            • Instruction Fuzzy Hash: CDD06C3214010DBBDF029F84DD06EDA3FBAFB48754F024000BA1856020C732E861AB90
                            Function 6C2A7CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: 4212d0afd92ac7572db07bf7bb5492725eb9cf551138520b1050ee94e730c57f
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6C3D1DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: g)''
                            • API String ID: 4218353326-3487984327
                            • Opcode ID: 001186927ae33d79a99bac4656853f8841b11341c444bf1766f2386fdbaebcfd
                            • Instruction ID: 513675d0db4969f1df87eb40c970150ab1f67d470fa5cf54bc6632521ad6eb84
                            • Opcode Fuzzy Hash: 001186927ae33d79a99bac4656853f8841b11341c444bf1766f2386fdbaebcfd
                            • Instruction Fuzzy Hash: CB630172644B018FC728CF28C8D0A95B7F3AFD531871A8A6DC0E64BA55E775B84ACF50
                            Function 6C3D62D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6C3D62DA
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C3D62E6
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C3D62F4
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C3D631B
                            • NtInitiatePowerAction.NTDLL ref: 6C3D632F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: 03e4c608977d6819825e08c0afddbfa5ebb3c5d0f49835dad1d6740e89cef3eb
                            • Instruction ID: 7d2f64afdd5845ab4f5a34d92afaab6897a6571f3d0598603cc21b51b0c16064
                            • Opcode Fuzzy Hash: 03e4c608977d6819825e08c0afddbfa5ebb3c5d0f49835dad1d6740e89cef3eb
                            • Instruction Fuzzy Hash: 72F09070644300BBEA00BB24DD0AF5A7BB8EB45701F015A18F986A6081D77069848B92
                            Function 6C251950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 92b1381ebc24f35a3147986bcec97a75e0c6ddb9cab8e42bdbd67fb0789dbf74
                            • Instruction ID: 506831b1f55a052dc32a62f5af93d75523b294059f9cbcc194573c07ebaf53e2
                            • Opcode Fuzzy Hash: 92b1381ebc24f35a3147986bcec97a75e0c6ddb9cab8e42bdbd67fb0789dbf74
                            • Instruction Fuzzy Hash: 4B4233B46093868FCB14CF68C480A5ABBE1ABC9354F544A1EF8D5D7760D334E895CB53
                            Function 6C4684AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C4684B1
                              • Part of subcall function 6C46993B: __EH_prolog.LIBCMT ref: 6C469940
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 1$`)K$h)K
                            • API String ID: 3519838083-3935664338
                            • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction ID: 42e9b0e428028a1cfdcc2973ba419e301ccb853fa6e86535be41a0698eea0cf9
                            • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                            • Instruction Fuzzy Hash: E1F29C30D04248DFDB11CFA9C888FDDBBB5AF59309F24449AE449ABB85CB719A85CF50
                            Function 6C45AEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C45AEF4
                              • Part of subcall function 6C45E622: __EH_prolog.LIBCMT ref: 6C45E627
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $h%K
                            • API String ID: 3519838083-1737110039
                            • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction ID: d42fa07e081d9044489b810b63a3256d1011884739e2aa203c97bd05a494313b
                            • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                            • Instruction Fuzzy Hash: 6A536430901258DFDB15CBA4C994FEDBBB4AF09308F64409CD449AB791DB30AE99CFA1
                            Function 6C436CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C436CE5
                              • Part of subcall function 6C40CC2A: __EH_prolog.LIBCMT ref: 6C40CC2F
                              • Part of subcall function 6C40E6A6: __EH_prolog.LIBCMT ref: 6C40E6AB
                              • Part of subcall function 6C436A0E: __EH_prolog.LIBCMT ref: 6C436A13
                              • Part of subcall function 6C436837: __EH_prolog.LIBCMT ref: 6C43683C
                              • Part of subcall function 6C43A143: __EH_prolog.LIBCMT ref: 6C43A148
                              • Part of subcall function 6C43A143: ctype.LIBCPMT ref: 6C43A16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction ID: 293c60eee52577be7d14c8a19a180ceac7e8039bfc99f288b4d726af7e33ee3f
                            • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                            • Instruction Fuzzy Hash: AE03DC30904268DEDF15CFA5C980FDCBBB0AF59318F2440AED44967B91DB346B89CBA1
                            Function 6C48C580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 3J$`/J$`1J$p0J
                            • API String ID: 0-2826663437
                            • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction ID: d0563c4c516f35be0e1492f6881be6c8bb500c5b66514479df7e152c967f4999
                            • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                            • Instruction Fuzzy Hash: C641F772F10A200AB348CE6A8C859667FC3C7C9356B4AC23DD565C66DDDABDC40782A4
                            Function 6C460A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: W
                            • API String ID: 3519838083-655174618
                            • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction ID: 203a60ad3f1cf867dcd63c4de8289f3e17badb5cb400fadc502b21478822f93b
                            • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                            • Instruction Fuzzy Hash: FAB27870A05299DFDB01CFA9C484F9EBBB4AF49309F244099E845EBB46C775ED41CBA0
                            Function 6C3E06F1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C3E07E9
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C3E07F3
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C3E0800
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 00493f8434dc3bd5c8c158b516b7c6a2ffbe2f1c2091670e0c1b7b17ac4b0ab1
                            • Instruction ID: c0cac437cb2cf95b7da66653cb5cf572cd5baca48208d8b71c675e82cb46a094
                            • Opcode Fuzzy Hash: 00493f8434dc3bd5c8c158b516b7c6a2ffbe2f1c2091670e0c1b7b17ac4b0ab1
                            • Instruction Fuzzy Hash: 3A31C37590132C9BCB21DF64D988BCDBBB8BF08714F5041EAE45CA7250EB70AB858F45
                            Function 6C3DF6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,6C3DF7A5,?,?,?,?), ref: 6C3DF70F
                            • TerminateProcess.KERNEL32(00000000,?,6C3DF7A5,?,?,?,?), ref: 6C3DF716
                            • ExitProcess.KERNEL32 ref: 6C3DF728
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: faf2e78c086c62bf30aacefe79a4cbb710a42ee20ac6687931352e37a685fd42
                            • Instruction ID: 13f2436affeeec1c183837486d6b7c0e9413ce6da1173c627ff0228cf2818cff
                            • Opcode Fuzzy Hash: faf2e78c086c62bf30aacefe79a4cbb710a42ee20ac6687931352e37a685fd42
                            • Instruction Fuzzy Hash: E7E04F32244108EFCF01BBA4C988A893F78FF59285B021418F40486521CB36E885CF41
                            Function 6C454896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C45489B
                              • Part of subcall function 6C455FC9: __EH_prolog.LIBCMT ref: 6C455FCE
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @ K
                            • API String ID: 3519838083-4216449128
                            • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction ID: c0c25d57d14c959bb186d19efdad4adfa77daa6b15763741db00498f55376b27
                            • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                            • Instruction Fuzzy Hash: D8D10F71E042049BDB15CFA8C480FDEBBB6FB84399F54912AE805AFB84CB709875CB55
                            Function 6C408EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 3b8d10f2599764de2006c73f412f25123341bd0a6ad0748cb86e0feeafd20e67
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: B591DF31F812099ADF04DFA4C890EEDB772BF65358F20807ED8616BB51DB32594ACB90
                            Function 6C3D6FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C3D7E20
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C3D8643
                              • Part of subcall function 6C3D98E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C3D862C,00000000,?,?,?,6C3D862C,?,6C40555C), ref: 6C3D9949
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: 24373f01af208133fdb06b0f9ba5f68c00c9b7aa10a89dc9ee667ada0588cce9
                            • Instruction ID: 22e9f0b0feb15434dfa1b52ec512764e841c89afcab5e502ff7615580716466e
                            • Opcode Fuzzy Hash: 24373f01af208133fdb06b0f9ba5f68c00c9b7aa10a89dc9ee667ada0588cce9
                            • Instruction Fuzzy Hash: 03B1CE72E052059BCF05EF65C88179DBBB4FB09318F2196AAE815E7780D339B948CF91
                            Function 6C472521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction ID: 9fa64df02044314d463bda9a5dcb0a47d5e65f757399587542ef994291ca38a1
                            • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                            • Instruction Fuzzy Hash: 9FB27630A05658CFDB31CF69C494FDEBBF1AF04309F144699D49AA7B81DB31A989CB60
                            Function 6C408972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: ceab2bd06c9c3ea8ec7bfaf3fd7a7f443fd559f7edf3cc8afc34b96ee8419c67
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 2F218D37AA4D560BD74CCA68EC33EB936C1E744305B88527EE94BCB7E1DE6C8800C648
                            Function 6C4A67C0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction ID: b2c9579a46b99bb78b6509a0e1472258fe16dc9667c396fd0753cd27bbc1661a
                            • Opcode Fuzzy Hash: f76254a8391bbbc56ee5761849d9b464ca1ca2a3d131f1b477d5a7e0a80fcda2
                            • Instruction Fuzzy Hash: 881207B29083158FC358DF4AD44045BF7E2BFC8714F1A8A2EE898A7315D770E9568BC6
                            Function 6C410BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: aa68d83f012bf01554abb76cbc6ee2d5cf728db232a66f7ec5caaacd786bf3ef
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: 3C51E971A09285DBD710CF5AC4C0AEDFBF6EF79214F18C05EE8C897242D27A599AC760
                            Function 6C4A6999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction ID: 762435f3002dbf35542cd84629b563a50e3052d5b7882a92f9fdf60f89963a2b
                            • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                            • Instruction Fuzzy Hash: BAD13E729083148FC758DF4AD44045BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                            Function 6C40C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 1eb08ebcd011238b216bfc4aab108588a2f6ac94cb5d40f13433f1ae13c2f63c
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: AC518373E208214AD78CCE24DC21B7572D2E784310F8AC1B99D8BAB6E6C9789891C7D4
                            Function 6C3EA2D6 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: xUMl
                            • API String ID: 0-3832260367
                            • Opcode ID: 02a612e80404a4780503cb166da2191f2c76a4ba966b12cd98f82f5bc516f3d2
                            • Instruction ID: b38f5fb1b2072c4dee8ddac0a044fc2ae3451445bc8d6ee5f5aacff6758ded84
                            • Opcode Fuzzy Hash: 02a612e80404a4780503cb166da2191f2c76a4ba966b12cd98f82f5bc516f3d2
                            • Instruction Fuzzy Hash: B8F03071A25234DBCB12DB88C845B8977B8EB49B65F110197E541DB641C7B0ED40CBC0
                            Function 6C47AB90 Relevance: .9, Instructions: 940COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction ID: 712fd5e3cd1f917bd0a7edbc98eefd9c3632eae13d540ac76c3aab6c2c20cddd
                            • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                            • Instruction Fuzzy Hash: 62729DB16042128FD758CF28C490A98FBE1FF88314B5A56ADD95ADB742DB30E8D5CBD0
                            Function 6C49A930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: 5c550ec7ec860e18edf5f86a961b99013ebfe9dc5292aaa6c2a1a46dba39e361
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: B762F4B1A093558FC724CF19C480E1ABBF1BFC8749F248A2EE89987715D770E845CB92
                            Function 6C498950 Relevance: .7, Instructions: 697COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction ID: 67c58ce9a4c8acf91015fa8f9f5716e1bfec31c59b6c032717283a18befc0059
                            • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                            • Instruction Fuzzy Hash: 07428031604B158FD368DF69C880FAAB7F2FB84354F044A2EE896C7B94D774A549CB81
                            Function 6C494489 Relevance: .5, Instructions: 519COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction ID: cfdf150783ce3e026284bada2b8ef292c2b32319dd89cb2959d2bf8a759b31ea
                            • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                            • Instruction Fuzzy Hash: 2102F773A083614BD715CE2DCC80A19BBE3FBC13D0F5A5A2EE8A547794DAB09946C781
                            Function 6C494AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: e359d555d143d0f5addc4c6316601601f6e88bb99f4bcf3f178de196db93c27f
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: CC020B32A082218FD319CE28C490F59BFF2FBC43D5F154B2DE8A697A94D7709845CB92
                            Function 6C49E600 Relevance: .5, Instructions: 470COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction ID: 87c6537904edf819a78590ce8e0c62e683655b911255bb1b3e4c2f67ccd6135f
                            • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                            • Instruction Fuzzy Hash: A512A070604B618FC324CF2EC494A26FBF2BF85305B188A6ED5D687BA1D635E548CB91
                            Function 6C486D10 Relevance: .4, Instructions: 429COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction ID: 2fb119fadcdd134b38f96124d24e50654a89020672833ed2d0b6f2ec5da8b7ec
                            • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                            • Instruction Fuzzy Hash: C9E1FE71705B008BE724CF28D4A0BEAB7E2EBC4314F544A2DD5A6C7B81DB35E50ACB91
                            Function 6C49EBC0 Relevance: .4, Instructions: 399COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction ID: 70f8b080d71264f6f86593af343e5f5bfa6dd59028abe087499a10fdd7e306db
                            • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                            • Instruction Fuzzy Hash: 6CF1C170608B618FC329CF2DC490A66FBE1BF89305F184A6ED1D68BB91D339E554CB91
                            Function 6C49C8D0 Relevance: .4, Instructions: 383COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction ID: d30aaf772da0862f1a162b0d0864cebb11c5795ac43f2de43a9be091c8241493
                            • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                            • Instruction Fuzzy Hash: 64F1EF705087618FC329DF29C490A6AFFF2BF85305F188A2ED4D68AB91D339E155CB91
                            Function 6C486900 Relevance: .3, Instructions: 341COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction ID: f2f42f21b52ae3a1a7d9cddce2a58cf940f64d1cd0107562491aec61891c40d1
                            • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                            • Instruction Fuzzy Hash: DFC1EF71605B068BE369CF2DC490AEAB7E2EBC4314F548A2CC5A6C7B45E730F485CB81
                            Function 6C4A4DE0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction ID: 316a671724f93527b15d3e9352689f64d1265df3b63dadb816869af3da3cb3ea
                            • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                            • Instruction Fuzzy Hash: F6E1D6B18047A64FE398EF5CDCA4A3577A1EBC8300F4B427DDA650B392D734A942DB94
                            Function 6C482580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 531f8f2b7fbef304f9ac9e29224722af1164acad74770307606de306e5f5ee6a
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: FFC1E4356087418BC729CE39D0A4AA7BBE2EFD9314F148A6DC4CA4BB55DE30E40ECB55
                            Function 6C48E4D0 Relevance: .3, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction ID: f575a4b247e6bc6f68cc59f74ebcf64a2b013bbb72dbb1f17a82491beba7b8e1
                            • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                            • Instruction Fuzzy Hash: CFB18F75A022408FC341DF28C884A44BBA2FF8526DBB9869EC5949F746E337D847CB91
                            Function 6C4A4870 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction ID: 14a97bd5b3ebf98376bad85c7231565aa2de4d0664a3a0704f4c29b6baaaf26f
                            • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                            • Instruction Fuzzy Hash: D1D1F7B1848B9A5FD394EF4DEC81A357762AB88301F4A8239DB6007753D634BB12D794
                            Function 6C47E810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: 680d5aacba8212cd89073cb4306b4134d185c34aff48d9d5019dec97f3f9476c
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: 38B1BF31305B054BE725DB39C890FEABBE1AF84708F044A2DD99A87781EF35B50987E5
                            Function 6C4845D0 Relevance: .2, Instructions: 224COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction ID: 8ce050620a16db2d7a7caf77e78a1709f751ecaf102a089f57a4b1f93fc54c4b
                            • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                            • Instruction Fuzzy Hash: 51617DB27092158FD708CFA9E190E96B3E9EB99361B1686BFD105CB361E731DC41CB18
                            Function 6C498520 Relevance: .2, Instructions: 216COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction ID: 8c522c7a5804263b904dfeec6abd83d1a05cf51943a3dc3a00bc2c92be76d80c
                            • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                            • Instruction Fuzzy Hash: 65917C7281872A8BD314CF1CC88065AB7E0FB88318F09066DED99A7341D739EA55CBC5
                            Function 6C420B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: 1d0c69bb7c7dacbae92b28bf28c664b1156ac0c3839928217320ea29e58272f3
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 6E516F72F106099BDB08CF98D9A2AADBBF2EB88304F24816DD515E7781D7789A41CB50
                            Function 6C422EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: bb769e409f613676a8dd7dcc9db87b8beed8cbaaa6fbae086e70f3e5c144fc34
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 693114277B440103C72CC92BCC17B9F91575BE423A70ECB396C05DAF59D92CC8129144
                            Function 6C48EEF0 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction ID: 60a72d3efdbf026a27473734c3522134ca116955e5701f5b52780d317a36e3eb
                            • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                            • Instruction Fuzzy Hash: 3F31E77B507A051EF201C52E8984F567233DBC336EF298765DA6687BECCA71D8478281
                            Function 6C496820 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction ID: ec1018306ee0bf00d9059be1988f9a7973d63ac0c39262a7fc97545357d1f85e
                            • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                            • Instruction Fuzzy Hash: 9C41B2B29047168BD704CF19C8909AAB7E4FF88358F454A6DED5AA7381E330EA15CBC1
                            Function 6C4A46C0 Relevance: .1, Instructions: 88COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction ID: d5956396e6ec3e4aadccfb4be537c40612a226b04ede88dda14c821738003265
                            • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                            • Instruction Fuzzy Hash: 172139B5E047E607E7209EADCC8067977D29BC1305F094279D9608E64BD5798493D660
                            Function 6C4AA91A Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction ID: b3bb37a6e34cbe36d52f3532eb71cb0140b56ad7ac6985a1f16348178fcab3fb
                            • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                            • Instruction Fuzzy Hash: A921377251442547C301DF6DE888E77B3E5FFD431DF638E2AD9968B681C624D446CAA0
                            Function 6C4AAA00 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction ID: a11b7f91b2177a17d3557b2cf2fdc0aa951d232d6afb6ebb155787c015ef0ea8
                            • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                            • Instruction Fuzzy Hash: C12105336011148FC741EFAAD984B9B73E6EFD8365F67C63DDD8147644C630EA0A8AA0
                            Function 6C3EA2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: 39502765420412864f758f932a66b49a378404210dc5b519467df557eeda3230
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: 90E08C32A12238EBCB14CB88C900D8AB7FCEB49B04B1101A7F901E3A01D271DE00DBC0
                            Function 6C43EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: c9e183b833ea774d816548a24a45cf07135bbb65178ccefe34e5f7603747f05e
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: DCD1A531A0621AEFCB11CFA5D980FEDB7B5FF89308F145519E059A3A90DB719D09CBA0
                            Function 6C3DA040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6C3DA077
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C3DA07F
                            • _ValidateLocalCookies.LIBCMT ref: 6C3DA108
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C3DA133
                            • _ValidateLocalCookies.LIBCMT ref: 6C3DA188
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 568b123061a3a29e95071cd691f26667e4287221a7113ae503d1d48130015cbd
                            • Instruction ID: 7b2b40970abb552854066d80f8efe494c1e50b07a13dd55c363efcb804e5b6d5
                            • Opcode Fuzzy Hash: 568b123061a3a29e95071cd691f26667e4287221a7113ae503d1d48130015cbd
                            • Instruction Fuzzy Hash: 3541D232E001299BCF00DF68C880BDE7BB5AF49328F118556E8149BB41D732BA19CFD1
                            Function 6C3E740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: e3ddb012a0d1a1822a8550b2f12b4b6e3af234d3a2656c2657ce8a744976240f
                            • Instruction ID: bba50048b96acb822081222dbcfc1b5d2bc0f810dd36645d591f047d0531787a
                            • Opcode Fuzzy Hash: e3ddb012a0d1a1822a8550b2f12b4b6e3af234d3a2656c2657ce8a744976240f
                            • Instruction Fuzzy Hash: 3B21F931B45A35ABDB11D72D8C44F0A3B689B0B768B120656EC15A7682D735EC018FF0
                            Function 6C3EC421 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6C3EB640,?), ref: 6C3EC469
                            • __fassign.LIBCMT ref: 6C3EC648
                            • __fassign.LIBCMT ref: 6C3EC665
                            • WriteFile.KERNEL32(?,6C3F6026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C3EC6AD
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C3EC6ED
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C3EC799
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 28009b9ca087cd08d558d9fdfa98634b1c8cb34c47ef3354cafa6941e48cdd5e
                            • Instruction ID: 93d5dd552185a92c843f6aaae7fc128d4553402f446209ecbdde189744e87c53
                            • Opcode Fuzzy Hash: 28009b9ca087cd08d558d9fdfa98634b1c8cb34c47ef3354cafa6941e48cdd5e
                            • Instruction Fuzzy Hash: A5D19975E012689FCF11DFA9D880AEDBFB5BF49318F28016AE855AB241D731A906CF50
                            Function 6C2A2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C2A2F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C2A2FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C2A2FD0
                            • __Getctype.LIBCPMT ref: 6C2A3084
                            • std::_Facet_Register.LIBCPMT ref: 6C2A309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C2A30B7
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 72a40cee6eb99b0c040e5bf4b8c7b4a0bc678c756801dc90a362ef10debf6d08
                            • Instruction ID: 0f20ff1f36780214139038d7940869397c8f44d9325e565166b809c0235e9aee
                            • Opcode Fuzzy Hash: 72a40cee6eb99b0c040e5bf4b8c7b4a0bc678c756801dc90a362ef10debf6d08
                            • Instruction Fuzzy Hash: 224168B2E006198FCB00DF99D855BDEBBB0FB49759F054118E859ABB40DB34A905CF91
                            Function 6C414FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 098d42f238d35971168aa452a15fa976009632a659a19ed19ae1d61ed2f7a46a
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: 1521CE31909219BFDF21CED5CC40DEF7E7AEF417E9F20822AB56061A98D2718D91C6E1
                            Function 6C41A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C41A6F1
                              • Part of subcall function 6C429173: __EH_prolog.LIBCMT ref: 6C429178
                            • __EH_prolog.LIBCMT ref: 6C41A8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: fa6532c6510411201d11a4b20b37afe6e95a3e51d169bc2e5755b68d46d0825e
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 97717D30A04255DFDB14DFA4C444FEDB7B0AF14308F1084ADD9A5ABB91DB74AA4ECB91
                            Function 6C2A28E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6C2A2A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: U#*l$q!*l$Jbx$Jbx
                            • API String ID: 4194217158-3422780366
                            • Opcode ID: 50d6c3b4e30fddfbc49f370c887eb745555d567f0291bb5dadb863f15295401f
                            • Instruction ID: 8daf0b533c6c49d763e7adf10bdb95196cd7720fa356b8b3b9d84e7724b86733
                            • Opcode Fuzzy Hash: 50d6c3b4e30fddfbc49f370c887eb745555d567f0291bb5dadb863f15295401f
                            • Instruction Fuzzy Hash: 385116F29002098FCB14CF99C884A9EBBB5EF88304F15856DEC599B741D331E986CF92
                            Function 6C3F5F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C3F604D
                            • _free.LIBCMT ref: 6C3F6076
                            • SetEndOfFile.KERNEL32(00000000,6C3F4C5C,00000000,6C3EB640,?,?,?,?,?,?,?,6C3F4C5C,6C3EB640,00000000), ref: 6C3F60A8
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C3F4C5C,6C3EB640,00000000,?,?,?,?,00000000,?), ref: 6C3F60C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: e977d8b50c896394fe11034f6f8009221627eb55bd661a0f79b0312ca20694a3
                            • Instruction ID: 4d0c5230dabd33b30e5c40c396eec01b5b0819cdcc2147e4fcbf902717b2464a
                            • Opcode Fuzzy Hash: e977d8b50c896394fe11034f6f8009221627eb55bd661a0f79b0312ca20694a3
                            • Instruction Fuzzy Hash: 2641D9B2908606AADB015BB4CC40BCE36B9AF49368F350915E474E7B90D776D84B4F22
                            Function 6C42E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C42E41D
                              • Part of subcall function 6C42EE40: __EH_prolog.LIBCMT ref: 6C42EE45
                              • Part of subcall function 6C42E8EB: __EH_prolog.LIBCMT ref: 6C42E8F0
                              • Part of subcall function 6C42E593: __EH_prolog.LIBCMT ref: 6C42E598
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 25e99f57272d4926a0c8fe70f65883254d7e8f9763a65c552864fae3e8d8a584
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: C2218871E01248AACB04DBE4DA95DEDBBB4AF25318F20402EE41667781DB780E0CCBA1
                            Function 6C3DF69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C3DF724,?,?,6C3DF7A5,?,?,?), ref: 6C3DF6AF
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C3DF6C2
                            • FreeLibrary.KERNEL32(00000000,?,?,6C3DF724,?,?,6C3DF7A5,?,?,?), ref: 6C3DF6E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 9e8164f6bcd64c63c1b1a5815334ce4122396a55504604c6c255386836b50d3b
                            • Instruction ID: e9c46cc5ac4fcf37b699968c9349e4ee474a5983572ed2b12cb6bd4ed1798eb0
                            • Opcode Fuzzy Hash: 9e8164f6bcd64c63c1b1a5815334ce4122396a55504604c6c255386836b50d3b
                            • Instruction Fuzzy Hash: 8FF0F832745119BBDB11EF91CE09F9E7F78AF0579AF124064B805A2960CB719E00EA94
                            Function 6C3D7897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6C3D789E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C3D78A9
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C3D7917
                              • Part of subcall function 6C3D77A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C3D77B8
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6C3D78C4
                            • _Yarn.LIBCPMT ref: 6C3D78DA
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: 58c8e598a7ad365d3e44fe3e1f948877905923960b8d758603811ec5ba1b2428
                            • Instruction ID: e3f2318c3cc2154afc7fceda44645b997469337ebe3057eb0a3ade70176c1f31
                            • Opcode Fuzzy Hash: 58c8e598a7ad365d3e44fe3e1f948877905923960b8d758603811ec5ba1b2428
                            • Instruction Fuzzy Hash: 68015A76B002119BDB06EF6084509BC7BB1FF86258B165449D89557784DF34BA06CF92
                            Function 6C456E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: ae85255b7fa0436cd73f0979c3f8d5b53108270fbb1b697f3eee57001ea3baa4
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: BE129F70E15249DFCB04CFA8C490EDDBBB1BF08309F94846DE845ABB55DB31A965CBA0
                            Function 6C422B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: 417f34b69849ddf8a81c38fed441b088f3bc742659473a29cbe67c8c5ac8c051
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: CEB14DB1D102099FCB24CF95C895DAEBBB5FF48324F60852EE415A7B50DB38AA45CB90
                            Function 6C2A2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6C3D7897: __EH_prolog3.LIBCMT ref: 6C3D789E
                              • Part of subcall function 6C3D7897: std::_Lockit::_Lockit.LIBCPMT ref: 6C3D78A9
                              • Part of subcall function 6C3D7897: std::locale::_Setgloballocale.LIBCPMT ref: 6C3D78C4
                              • Part of subcall function 6C3D7897: _Yarn.LIBCPMT ref: 6C3D78DA
                              • Part of subcall function 6C3D7897: std::_Lockit::~_Lockit.LIBCPMT ref: 6C3D7917
                              • Part of subcall function 6C2A2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C2A2F95
                              • Part of subcall function 6C2A2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C2A2FAF
                              • Part of subcall function 6C2A2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C2A2FD0
                              • Part of subcall function 6C2A2F60: __Getctype.LIBCPMT ref: 6C2A3084
                              • Part of subcall function 6C2A2F60: std::_Facet_Register.LIBCPMT ref: 6C2A309C
                              • Part of subcall function 6C2A2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C2A30B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6C2A211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: 1fd1e39ea032d59daba946355247e0594cf8d15a846063c52b03dd766746ad70
                            • Instruction ID: 9999c98be481061aaaa1888cc372650a61ed677a028206ae6e453d1d48691f52
                            • Opcode Fuzzy Hash: 1fd1e39ea032d59daba946355247e0594cf8d15a846063c52b03dd766746ad70
                            • Instruction Fuzzy Hash: 6B41A4B1E0030A8FDB00CFA5D845BAABBB4FF44314F144268E919AB791E775E985CF91
                            Function 6C434EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C434ECC
                              • Part of subcall function 6C41F58A: __EH_prolog.LIBCMT ref: 6C41F58F
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 82b858da1248999922d020fb1775b0f3afa56189575006c09f955c69c70a52e4
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: BD21DCB0901B40CFC760DF6AC14469ABBF4BF29714B40C96EC1AA97B11D7B8A508CF95
                            Function 6C3EB300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C3EB640,6C2A1DEA,00008000,6C3EB640,?,?,?,6C3EB1EF,6C3EB640,?,00000000,6C2A1DEA), ref: 6C3EB339
                            • GetLastError.KERNEL32(?,?,?,6C3EB1EF,6C3EB640,?,00000000,6C2A1DEA,?,6C3F4C0E,6C3EB640,000000FF,000000FF,00000002,00008000,6C3EB640), ref: 6C3EB343
                            • __dosmaperr.LIBCMT ref: 6C3EB34A
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: bf42ec3a8326843704fdfe8ea767a6ec299abcb4afb1a82fc8fb270bb6f03468
                            • Instruction ID: 775d8ec9809321e32ab47caf506493c2f286c665b3429526f231ee18532c5625
                            • Opcode Fuzzy Hash: bf42ec3a8326843704fdfe8ea767a6ec299abcb4afb1a82fc8fb270bb6f03468
                            • Instruction Fuzzy Hash: 7D01D833714624ABCF069F69DC0589E3B7DDB8A328B650209F8519B680FB71E9018F61
                            Function 6C3D706D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            • AcquireSRWLockExclusive.KERNEL32(6C4D466C,?,652EF5AA,6C2A230E,6C4D430C), ref: 6C3D7077
                            • ReleaseSRWLockExclusive.KERNEL32(6C4D466C), ref: 6C3D70AA
                            • WakeAllConditionVariable.KERNEL32(6C4D4668), ref: 6C3D70B5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                            • String ID: lFMl
                            • API String ID: 1466638765-628128494
                            • Opcode ID: 203483e942402d7fca3b15ec25ecd7e64cd46476f9ebbedd4dbbe8c602a8c911
                            • Instruction ID: a3212e8369bee10b6e539b5e7d484e61439411fec1d630810377165efb15ad40
                            • Opcode Fuzzy Hash: 203483e942402d7fca3b15ec25ecd7e64cd46476f9ebbedd4dbbe8c602a8c911
                            • Instruction Fuzzy Hash: 20F0A575741950DBCB05FF58DA58E957BB8EB8A391B02906AF90687701CB38AD01CFA4
                            Function 6C3E4F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,6C3DF4D4,6C406DF0,0000000C), ref: 6C3E4F27
                            • _free.LIBCMT ref: 6C3E4F84
                            • _free.LIBCMT ref: 6C3E4FBA
                            • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C3DF4D4,6C406DF0,0000000C), ref: 6C3E4FC5
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: 78a7b5045c154055daed0b44691d7e02576394d6fbc31729fa19d8c6e494a2c9
                            • Instruction ID: 441ae054a651d023361e6461e4a6820fa5de9d4445533ec672bd80103f490b0a
                            • Opcode Fuzzy Hash: 78a7b5045c154055daed0b44691d7e02576394d6fbc31729fa19d8c6e494a2c9
                            • Instruction Fuzzy Hash: AD11AB313042206B9A127BF55C40E9A217D9BCEB7D726062AF12447BC1DF618C194B11
                            Function 6C3F642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6C3F4C5C,00000000,00000000,?,6C3F50C1,00000000,00000001,00000000,6C3EB640,?,6C3EC7F6,?,?,6C3EB640), ref: 6C3F6441
                            • GetLastError.KERNEL32(?,6C3F50C1,00000000,00000001,00000000,6C3EB640,?,6C3EC7F6,?,?,6C3EB640,?,6C3EB640,?,6C3EC28C,6C3F6026), ref: 6C3F644D
                              • Part of subcall function 6C3F649E: CloseHandle.KERNEL32(FFFFFFFE,6C3F645D,?,6C3F50C1,00000000,00000001,00000000,6C3EB640,?,6C3EC7F6,?,?,6C3EB640,?,6C3EB640), ref: 6C3F64AE
                            • ___initconout.LIBCMT ref: 6C3F645D
                              • Part of subcall function 6C3F647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C3F641B,6C3F50AE,6C3EB640,?,6C3EC7F6,?,?,6C3EB640,?), ref: 6C3F6492
                            • WriteConsoleW.KERNEL32(00000000,?,6C3F4C5C,00000000,?,6C3F50C1,00000000,00000001,00000000,6C3EB640,?,6C3EC7F6,?,?,6C3EB640,?), ref: 6C3F6472
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 2ba1d821633918a035a2b0b16f32af78dc763bfa15ed72b7c398cb7c3f33be84
                            • Instruction ID: e70767a0b5938fe8bd66c078c981dfd376af2fae8e92658534fced6f71b67d64
                            • Opcode Fuzzy Hash: 2ba1d821633918a035a2b0b16f32af78dc763bfa15ed72b7c398cb7c3f33be84
                            • Instruction Fuzzy Hash: 4FF03036240219BBCF22BFA1DC08A8D3F36FF4A7A5F054414FA98C6560CB329820DF91
                            Function 6C3E3694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 6fb9c18086804cde45ce21da44076e71d58cfa2e14d06e17ec2eb6034f5d1405
                            • Instruction ID: 8c73586c225a828e9f1dd21d8224da5bc8452aec3c4b06fa5566fcdf8edb99bc
                            • Opcode Fuzzy Hash: 6fb9c18086804cde45ce21da44076e71d58cfa2e14d06e17ec2eb6034f5d1405
                            • Instruction Fuzzy Hash: D571F875D012369BDB508F96C880BEEB7B9EF4D328F24421BE86067A60D736D845CF61
                            Function 6C433C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: 1742e016d55cc542bbd638d2ce42d3f178d03685d95d85700bd5b14ba1686685
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: E1916A70910258EFCB10DF9AC880EEEFBF4BF58308F50552EE559A7A90D770AA49CB50
                            Function 6C428C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C428C5D
                              • Part of subcall function 6C42761A: __EH_prolog.LIBCMT ref: 6C42761F
                              • Part of subcall function 6C427A2E: __EH_prolog.LIBCMT ref: 6C427A33
                              • Part of subcall function 6C428EA5: __EH_prolog.LIBCMT ref: 6C428EAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: c59dea9439faf968e74f31db9007f91986cfe988cdcf687ec82befc3f9e1d796
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 75816A31D00158DFCF15DFA8D991EDDB7B4AF18318F1040AEE516A7790DB346A09CBA1
                            Function 6C4565B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: CK$CK
                            • API String ID: 3519838083-2096518401
                            • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction ID: 8143611c94bae9512f5c379dcf41e02b301e84a264dc661bad6d0186e8bb7262
                            • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                            • Instruction Fuzzy Hash: 4A518D75A003059FDB00CFA4C8C4FEEB3B5FB88359F548529D911EBB85DB74A9168BA0
                            Function 6C3ED46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C3F4C46), ref: 6C3ED58B
                            • __dosmaperr.LIBCMT ref: 6C3ED592
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: be5db8663ec15469d0b23b3e46d44566a083225c426d7867a717b57fa70c037f
                            • Instruction ID: 72a51038962fe99d2fb788b7a79c0e391aa11ad2c7fac254b0316a15aaa4e66f
                            • Opcode Fuzzy Hash: be5db8663ec15469d0b23b3e46d44566a083225c426d7867a717b57fa70c037f
                            • Instruction Fuzzy Hash: F3415971604164AFDB11DF68C880BA97FF9EBCE35CF14425AE8818B681D772AC15CF90
                            Function 6C2A26E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: U#*l$q!*l
                            • API String ID: 4218353326-1223450464
                            • Opcode ID: e3bd3e36807e80d8b56ffed9e44d5f8a770c5d3f82cc21d0692e2302877930d0
                            • Instruction ID: aca747e2d2cb02fbb7a868c6cfdf063888397f7edb321087c96782f40ccc0852
                            • Opcode Fuzzy Hash: e3bd3e36807e80d8b56ffed9e44d5f8a770c5d3f82cc21d0692e2302877930d0
                            • Instruction Fuzzy Hash: FC41A3B2D0025C9BCB00DFA5DC84BDEBBB9EF48354F150629E819A7741E7319A49CBA1
                            Function 6C444C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 95887e467b77b6fd92dc8a9731ba2bd553b0cbf0f0fa995dcad2eeed2e8daace
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: 6641BD71705781EFEB11CFA0C490FEABBA2FF45249F14842EE05A97B50CB316908CB92
                            Function 6C3E8B16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free
                            • String ID: dUMl$hUMl
                            • API String ID: 269201875-31278196
                            • Opcode ID: 63fd74297400f354012b4a2f9cebbe05ef0d1e29081e26cb31f3209541cc3745
                            • Instruction ID: 367f9a980fd496ffe0f8f2f847a81885e62667440944b15fd2a31f38e99d612e
                            • Opcode Fuzzy Hash: 63fd74297400f354012b4a2f9cebbe05ef0d1e29081e26cb31f3209541cc3745
                            • Instruction Fuzzy Hash: D311D6B15053129FD310EF6DD490F82B7E8EB4D3A8B24441FE49987A80E771E845CF52
                            Function 6C440906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 88edb1a54cdea510b29056dee0f7573729d58f489579e62f8081fe0b29f41b23
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: C201A1B1E05245DAEB10DF998480DAEF7B4FF69304F50C42EE569E3B40C3345905CB95
                            Function 6C3EE298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C3EE2B9
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C3EABAA,?,00000004,?,4B42FCB6,?,?,6C3DFCFC,4B42FCB6,?), ref: 6C3EE2F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: a5e37433927b9b293f5c2c305da9f42b40dfe42daa4803e0a1af3f7118635e9a
                            • Instruction ID: 14383ed5427aa93ee1e1604266121a8e530347635c896250d06731fa4fdffe62
                            • Opcode Fuzzy Hash: a5e37433927b9b293f5c2c305da9f42b40dfe42daa4803e0a1af3f7118635e9a
                            • Instruction Fuzzy Hash: 3BF0FC32601334A5DB213E66AC00B8B376C9FCFB78B114127E95496E80DF32D4018FE2
                            Function 6C46C5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: p/K$J
                            • API String ID: 3519838083-2069324279
                            • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction ID: 2a0c951baf4cd672ca1d5ce1c77842ef455258591dc19c50bbd4a4ef9b32ea57
                            • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                            • Instruction Fuzzy Hash: C101BCB1A117119FD724CF59D504BAAB7F4EF54729F10C81EE096A3B40C7F8A5088BA8
                            Function 6C44AFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C44AFCC
                              • Part of subcall function 6C44A4D1: __EH_prolog.LIBCMT ref: 6C44A4D6
                              • Part of subcall function 6C44914B: __EH_prolog.LIBCMT ref: 6C449150
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J
                            • API String ID: 3519838083-2882003284
                            • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction ID: 8e57aa89d3532116e82406c12bdfde683e4d5b8cfc3cc44282c30fc69171d6be
                            • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                            • Instruction Fuzzy Hash: 1B0105B1800B50CFD325CF59C5A4ACAFBE0FB15304F90C95EC0A657B50D7B8A508CB68
                            Function 6C3D701E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • AcquireSRWLockExclusive.KERNEL32(6C4D466C,?,?,652EF5AA,6C2A22D8,6C4D430C), ref: 6C3D7029
                            • ReleaseSRWLockExclusive.KERNEL32(6C4D466C), ref: 6C3D7063
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1686822688.000000006C251000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C250000, based on PE: true
                            • Associated: 00000007.00000002.1686794270.000000006C250000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687897640.000000006C3F8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1689268439.000000006C5C3000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExclusiveLock$AcquireRelease
                            • String ID: lFMl
                            • API String ID: 17069307-628128494
                            • Opcode ID: d47ef8d87bc9745f31e36c5af44fc842ee76ad14ed4d94d97a066c22a0468ad4
                            • Instruction ID: 6a78e12d5f15806f1ce4a96e3a4fc4d0d6e719944c65443971bc3709794a2fc4
                            • Opcode Fuzzy Hash: d47ef8d87bc9745f31e36c5af44fc842ee76ad14ed4d94d97a066c22a0468ad4
                            • Instruction Fuzzy Hash: F1F08236640500DBC710FF15C504AA5BBB8FB873B9F16122EE95547BD0C7353842CE61
                            Function 6C464E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction ID: ac7ceda6df0a71a5ebb881ee7f6acfd6bbb9c6940b6b392a47929342535aeee3
                            • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                            • Instruction Fuzzy Hash: EF51E131A44209ABCF05CF92D850FDEB7B1AF1536CF10442EE85167F84DB76A949CBA0
                            Function 6C484F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.1687970990.000000006C408000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C408000, based on PE: true
                            • Associated: 00000007.00000002.1688516463.000000006C4D3000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000007.00000002.1688545107.000000006C4D9000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_6c250000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (?K$8?K$H?K$CK
                            • API String ID: 0-3450752836
                            • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction ID: cfee6e329cc6aa437f717ebd30f830dfdf6aaa668607d79d8e0a642df6b95074
                            • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                            • Instruction Fuzzy Hash: 75F012B15017009EC320CF45D544B97B7F4AB45759F50C91EE19A97A40D3B8A5088FA8